First draft for PMASA-2014-2

Signed-off-by: Ann + J.M <phpMyAdmin@ZweiSteinSoft.de>
phpmyadmin · Jun 16, 2014 · f9ce411 · f9ce411
1 parent 8201b1e
commit f9ce411
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/templates/security/PMASA-2014-2 b/templates/security/PMASA-2014-2
@@ -0,0 +1,53 @@
+<html xmlns:py="http://genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude" py:strip="">
+
+<py:def function="announcement_id">
+PMASA-2014-2
+</py:def>
+
+<py:def function="announcement_date">
+
+</py:def>
+
+<py:def function="announcement_summary">
+Self-XSS due to unescaped HTML output in recent/favorite tables navigation.
+</py:def>
+
+<py:def function="announcement_description">
+When marking a crafted database or table name as favorite or having it in recent tables, it is possible to trigger an XSS.
+</py:def>
+
+<py:def function="announcement_severity">
+We consider this vulnerability to be non critical.
+</py:def>
+
+<py:def function="announcement_mitigation">
+This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.
+</py:def>
+
+<py:def function="announcement_affected">
+All versions since 4.2.0 and prior to 4.2.4 are affected.
+</py:def>
+
+<!--! Optional section
+<py:def function="announcement_unaffected">
+</py:def>
+-->
+
+<py:def function="announcement_solution">
+Upgrade to phpMyAdmin 4.2.4 or newer, or apply the patch listed below.
+</py:def>
+
+<py:def function="announcement_references">
+Thanks to Madhura Jayaratne and Chirayu Chiripal for reporting this vulnerability.
+</py:def>
+
+<py:def function="announcement_cve"></py:def>
+
+<py:def function="announcement_cwe">661 79</py:def>
+
+<py:def function="announcement_commits">
+cb7c703c03f656debcea2a16468bd53660fc888e
+</py:def>
+
+<xi:include href="_page.tpl" />
+</html>