Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 30 Sep 2011 13:43:00 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14)

Sorry this took so long, it's been a wild couple of weeks.

----- Original Message -----
> Hello Josh, Steve, vendors,
> 
>    multiple XSS flaws have been recently reported in the v3.4.4 (and
>    earlier 3.4.X) version of phpMyAdmin (PMASA-2011-14):
> 
> [1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php
> 
> 1) An XSS flaw was found in the way phpMyAdmin processed row content,
> containing JavaScript code, after its inline editing and saving,

Use CVE-2011-3591

> 
> 2) It was found that phpMyAdmin did not properly sanitize the content of
> db, table, and column names prior use of their values.

Use CVE-2011-3592

> 
> A remote attacker could use these flaws to conduct XSS attacks (execute
> arbitrary HTML or web script) by tricking authenticated phpMyAdmin user
> into visiting of a specially-crafted URL.
> 
> References:
> [2] http://secunia.com/advisories/45991/
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=738681

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.