Two XSS issues have been found in phpmyadmin, one only affects the 4.2-versions (CVE-2014-4348, PMASA-2014-2), the other also affects older 4.1-versions (CVE-2014-4349, PMASA-2014-3). See upstream advisories: http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php Fixes in versions 4.1.14.1 and 4.2.4.
CVE-2014-4349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4349): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a (1) hide or (2) unhide action. CVE-2014-4348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4348): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables.
12:34 < irker982> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Bump to versions 4.0.10.1, 4.1.14.2 and 4.2.7. Fixes bug 514894, 517858 and 519342. 4.1.14.2 and 4.2.7 are now in the tree.
Stabilization is happening as part of bug 517858
A new vulnerability has been found, and the new versions come with this. No Stabilization needs to happen as part of this bug, moving it to Bug 520142, and setting it as blocker.
Vulnerable Versions not in Tree anymore. Closing no GLSA for Cross Site Scripting