Project

General

Profile

Bug #3429

Bug #3426: phpmyadmin: multiple issues (CVE-2014-6300 CVE-2014-7217)

[v3.0] phpmyadmin: multiple issues (CVE-2014-6300 CVE-2014-7217)

Added by Alexander Belous over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
10/15/2014
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

CVE-2014-6300 (PMASA-2014-10): XSRF/CSRF due to DOM based XSS in the micro history feature
By deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature.

phpMyAdmin Team considers this vulnerability to be critical.

Affected Versions: 4.0.x (prior to 4.0.10.3), 4.1.x (prior to 4.1.14.4) and 4.2.x (prior to 4.2.8.1)
Solution: upgrade to phpMyAdmin 4.0.10.3 or newer, or 4.1.14.4 or newer, or 4.2.8.1 or newer, or apply the patches published by the link below.

References:
http://www.phpmyadmin.net/home_page/security/PMASA-2014-10.php

CVE-2014-7217 (PMASA-2014-11): XSS vulnerabilities in table search and table structure pages
With a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages. This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.

Affected Versions: 4.0.x (prior to 4.0.10.4), 4.1.x (prior to 4.1.14.5) and 4.2.x (prior to 4.2.9.1)
Solution: upgrade to phpMyAdmin 4.0.10.4 or newer, or 4.1.14.5 or newer, or 4.2.9.1 or newer, or apply the patch published by the link below.

References:
http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php

Associated revisions

Revision 7020a1c2 (diff)
Added by Natanael Copa over 4 years ago

main/phpmyadmin: security upgrade to 4.2.10 (CVE-2014-6300,CVE-2014-7217)

fixes #3429

History

#1 Updated by Natanael Copa over 4 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Natanael Copa over 4 years ago

  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF