-
Notifications
You must be signed in to change notification settings - Fork 99
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Ann + J.M <phpMyAdmin@ZweiSteinSoft.de>
- Loading branch information
1 parent
8201b1e
commit f9ce411
Showing
1 changed file
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
<html xmlns:py="http://genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude" py:strip=""> | ||
|
||
<py:def function="announcement_id"> | ||
PMASA-2014-2 | ||
</py:def> | ||
|
||
<py:def function="announcement_date"> | ||
|
||
</py:def> | ||
|
||
<py:def function="announcement_summary"> | ||
Self-XSS due to unescaped HTML output in recent/favorite tables navigation. | ||
</py:def> | ||
|
||
<py:def function="announcement_description"> | ||
When marking a crafted database or table name as favorite or having it in recent tables, it is possible to trigger an XSS. | ||
</py:def> | ||
|
||
<py:def function="announcement_severity"> | ||
We consider this vulnerability to be non critical. | ||
</py:def> | ||
|
||
<py:def function="announcement_mitigation"> | ||
This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form. | ||
</py:def> | ||
|
||
<py:def function="announcement_affected"> | ||
All versions since 4.2.0 and prior to 4.2.4 are affected. | ||
</py:def> | ||
|
||
<!--! Optional section | ||
<py:def function="announcement_unaffected"> | ||
</py:def> | ||
--> | ||
|
||
<py:def function="announcement_solution"> | ||
Upgrade to phpMyAdmin 4.2.4 or newer, or apply the patch listed below. | ||
</py:def> | ||
|
||
<py:def function="announcement_references"> | ||
Thanks to Madhura Jayaratne and Chirayu Chiripal for reporting this vulnerability. | ||
</py:def> | ||
|
||
<py:def function="announcement_cve"></py:def> | ||
|
||
<py:def function="announcement_cwe">661 79</py:def> | ||
|
||
<py:def function="announcement_commits"> | ||
cb7c703c03f656debcea2a16468bd53660fc888e | ||
</py:def> | ||
|
||
<xi:include href="_page.tpl" /> | ||
</html> |