phpMyAdmin 3.3.x / 3.4.x < 3.3.10.4 / 3.4.4 XSS (PMASA-2011-13

This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a PHP application that is affected by
multiple cross-site scripting vulnerabilities.

Description :

The remote host contains a version of phpMyAdmin - 3.3.x less than
3.3.10.4 or 3.4.x less than 3.4.4 - that is affected by multiple
cross-site scripting vulnerabilities.

The data in the 'table', 'column', and 'index' variables of the script
'tbl_tracking.php' are not properly sanitized before being sent to the
browser.

These errors can allow an unauthenticated user to trick an
authenticated user into requesting a URL thereby injecting arbitrary
HTML or script code into the authenticated user's browser.

These errors can also allow an attacker who has access to the database
to create persistent strings of cross-site scripting code that will
inject arbitrary HTML or script code into an authenticated user's
browser at a later time.

See also :

http://www.phpmyadmin.net/home_page/security/PMASA-2011-13.php
http://fd.the-wildcat.de/pma_e36aa9e2e0.php

Solution :

Upgrade to phpMyAdmin version 3.3.10.4 / 3.4.4 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 55993 ()

Bugtraq ID: 49306

CVE ID: CVE-2011-3181

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial