phpMyAdmin 3.4.x < 3.4.5 Cross-site Scripting (PMASA-2011-14)

This script is Copyright (C) 2011 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a PHP application that is affected by
multiple cross-site scripting vulnerabilities.

Description :

The version of phpMyAdmin on the remote host is 3.4.x prior to 3.4.5.
This version is affected by multiple cross-site scripting
vulnerabilities:

- The data used in the row content display after inline
editing is not properly sanitized before it is passed
back to the browser.

- The data passed in as table, column, and index names
is not properly sanitized before it is passed back to
the browser.

A remote attacker may use these issues to cause arbitrary code to be
executed in a user's browser, to steal authentication cookies and/or
to launch other types of attacks.

See also :

http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php

Solution :

Apply the vendor patches or upgrade to phpMyAdmin version 3.4.5 or
later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 56379 ()

Bugtraq ID: 49648

CVE ID: