Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

phpMyAdmin 4.6.x < 4.6.3 Multiple Vulnerabilities

Medium

Synopsis

The remote web server contains a version of phpMyAdmin that is affected by multiple vulnerabilities.

Description

Versions of phpMyAdmin 4.6.x prior to 4.6.3 are unpatched, and therefore affected by the following vulnerabilities :

- A flaw exists in the Partition Range functionality that allows a cross-site scripting (XSS) attack. This flaw exists because the 'templates/table/structure/display_partitions.phtml' script does not validate input when handling table parameters before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 140497) - A flaw exists that allows an XSS attack. This flaw exists because the 'templates/table/structure/display_table_stats.phtml' script does not validate input when handling table comments before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 140501) - A flaw exists which may allow a context-dependent attacker to inject arbitrary values into browser cookies. No further details have been provided by the vendor. Note that this vulnerability is not present on a server configured to set 'PHP_SELF'. (OSVDB 140502)

Solution

Upgrade to phpMyAdmin version 4.6.3 or later.