[v3.0] phpmyadmin: multiple issues (CVE-2014-6300 CVE-2014-7217)
CVE-2014-6300 (PMASA-2014-10): XSRF/CSRF due to DOM based XSS in the
micro history feature
By deceiving a logged-in user to click on a crafted URL, it is possible
to perform remote code execution and in some cases, create a root
account due to a DOM based XSS vulnerability in the micro history
feature.
phpMyAdmin Team considers this vulnerability to be critical.
Affected Versions: 4.0.x (prior to 4.0.10.3), 4.1.x (prior to 4.1.14.4)
and 4.2.x (prior to 4.2.8.1)
Solution: upgrade to phpMyAdmin 4.0.10.3 or newer, or 4.1.14.4 or newer,
or 4.2.8.1 or newer, or apply the patches published by the link below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-10.php
CVE-2014-7217 (PMASA-2014-11): XSS vulnerabilities in table search and
table structure pages
With a crafted ENUM value it is possible to trigger an XSS in table
search and table structure pages. This vulnerability can be triggered
only by someone who is logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the required
pages.
Affected Versions: 4.0.x (prior to 4.0.10.4), 4.1.x (prior to 4.1.14.5)
and 4.2.x (prior to 4.2.9.1)
Solution: upgrade to phpMyAdmin 4.0.10.4 or newer, or 4.1.14.5 or newer,
or 4.2.9.1 or newer, or apply the patch published by the link below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-11.php
(from redmine: issue id 3429, created on 2014-10-15, closed on 2014-10-23)
- Relations:
- parent #3426 (closed)
- Changesets:
- Revision 7020a1c2 by Natanael Copa on 2014-10-21T09:53:27Z:
main/phpmyadmin: security upgrade to 4.2.10 (CVE-2014-6300,CVE-2014-7217)
fixes #3429