FreeBSD : phpmyadmin -- multiple XSS and a man-in-the-middle vulnerability (f682a506-df7c-11e5-81e4-6805ca0b3d42)

medium Nessus Plugin ID 89049

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

The phpMyAdmin development team reports :

XSS vulnerability in SQL parser.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

By sending a specially crafted URL as part of the HOST header, it is possible to trigger an XSS attack.

A weakness was found that allows an XSS attack with Internet Explorer versions older than 8 and Safari on Windows using a specially crafted URL.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

Using a crafted parameter value, it is possible to trigger an XSS attack in user accounts page.

Using a crafted parameter value, it is possible to trigger an XSS attack in zoom search page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

With a crafted table/column name it is possible to trigger an XSS attack in the database normalization page.

With a crafted parameter it is possible to trigger an XSS attack in the database structure page.

With a crafted parameter it is possible to trigger an XSS attack in central columns page.

We consider this vulnerability to be non-critical.

Vulnerability allowing man-in-the-middle attack on API call to GitHub.

A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.

We consider this vulnerability to be serious.

Solution

Update the affected package.

See Also

https://www.phpmyadmin.net/security/PMASA-2016-10/

https://www.phpmyadmin.net/security/PMASA-2016-11/

https://www.phpmyadmin.net/security/PMASA-2016-12/

https://www.phpmyadmin.net/security/PMASA-2016-13/

http://www.nessus.org/u?9e40ddd8

Plugin Details

Severity: Medium

ID: 89049

File Name: freebsd_pkg_f682a506df7c11e581e46805ca0b3d42.nasl

Version: 2.5

Type: local

Published: 3/1/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:phpmyadmin, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/1/2016

Vulnerability Publication Date: 2/29/2016

Reference Information

CVE: CVE-2016-2559, CVE-2016-2560, CVE-2016-2561, CVE-2016-2562