From ${URL} : The 4.0.10.4, 4.1.14.5, and 4.2.9.1 releases of phpMyAdmin fix a cross-site scripting (XSS) flaw: "With a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages." The attacker must have a valid login. References: http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This bump was already done[1], I was waiting to see if there was a request for a CVE in oss-security. http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-db/phpmyadmin/ arches, please mark stable =dev-db/phpmyadmin-4.0.10.4 =dev-db/phpmyadmin-4.1.14.5 =dev-db/phpmyadmin-4.2.9.1 Target Keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
CVE-2014-7217 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7217): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to libraries/TableSearch.class.php and libraries/Util.class.php.
no GLSA for Cross Site Scripting Setting cleanup dependency on bug 530054 to cleanup version: 4.1.14.3
15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to the latest releases and add 4.4.0_beta1. Address CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug 542218. Drop old vulnerable versions. Old version cleaned.
Closed