Re: [oss-security] CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14)

Sorry this took so long, it's been a wild couple of weeks.

----- Original Message -----
> Hello Josh, Steve, vendors,
>
> multiple XSS flaws have been recently reported in the v3.4.4 (and
> earlier 3.4.X) version of phpMyAdmin (PMASA-2011-14):
>
> [1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php
>
> 1) An XSS flaw was found in the way phpMyAdmin processed row content,
> containing JavaScript code, after its inline editing and saving,

Use CVE-2011-3591

>
> 2) It was found that phpMyAdmin did not properly sanitize the content of
> db, table, and column names prior use of their values.

Use CVE-2011-3592

>
> A remote attacker could use these flaws to conduct XSS attacks (execute
> arbitrary HTML or web script) by tricking authenticated phpMyAdmin user
> into visiting of a specially-crafted URL.
>
> References:
> [2] http://secunia.com/advisories/45991/
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=738681

Thanks.

-- JB

• This message: [ Message body ]
• Next message: Marc Deslauriers: "Re: [oss-security] CVE Request: ffmpeg/libav"
• Previous message: Josh Bressers: "Re: [oss-security] CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution"
• In reply to: Jan Lieskovsky: "[oss-security] CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14)"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]