phpMyAdmin 4.0.x < 4.0.3 'view_create.php' XSS

low Nessus Network Monitor Plugin ID 6919

Synopsis

The remote web server contains a PHP application that is affected by a potential security vulnerability.

Description

Versions of phpMyAdmin 4.0.0 through 4.0.3 are potentially affected by a cross site scripting vulnerability in the 'view_create.php' script of the 'Create View' page. The issue occurs when creating a view with a crafted name and an incorrect 'CREATE' statement. An attacker may leverage this to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Solution

Apply the vendor patches or upgrade to phpMyAdmin 4.0.3 or later.

See Also

http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php

http://github.com/phpmyadmin/phpmyadmin/commit/9b3551601ce714adb5e3f428476052f0ec6093bf

Plugin Details

Severity: Low

ID: 6919

Family: CGI

Published: 7/10/2013

Updated: 3/6/2019

Nessus ID: 67227

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.9

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.1

Temporal Score: 2.9

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Patch Publication Date: 6/5/2013

Vulnerability Publication Date: 6/5/2013

Reference Information

CVE: CVE-2013-3742

BID: 61029