FreeBSD : phpMyAdmin -- Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages (db1d3340-e83b-11e1-999b-e0cb4e266481)

low Nessus Plugin ID 61566

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

The phpMyAdmin development team reports :

Using a crafted table name, it was possible to produce a XSS : 1) On the Database Structure page, creating a new table with a crafted name 2) On the Database Structure page, using the Empty and Drop links of the crafted table name 3) On the Table Operations page of a crafted table, using the 'Empty the table (TRUNCATE)' and 'Delete the table (DROP)' links 4) On the Triggers page of a database containing tables with a crafted name, when opening the 'Add Trigger' popup 5) When creating a trigger for a table with a crafted name, with an invalid definition. Having crafted data in a database table, it was possible to produce a XSS : 6) When visualizing GIS data, having a crafted label name.

Solution

Update the affected package.

See Also

https://www.phpmyadmin.net/security/PMASA-2012-4/

http://www.nessus.org/u?7380c480

Plugin Details

Severity: Low

ID: 61566

File Name: freebsd_pkg_db1d3340e83b11e1999be0cb4e266481.nasl

Version: 1.8

Type: local

Published: 8/17/2012

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:phpmyadmin, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 8/17/2012

Vulnerability Publication Date: 8/12/2012

Reference Information

CVE: CVE-2012-4345