phpMyAdmin < 2.6.4 Multiple XSS

Medium Nessus Plugin ID 19519

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 3.8

Synopsis

The remote web server contains a PHP application that is affected by cross-site scripting vulnerabilities.

Description

According to its banner, the version of phpMyAdmin installed on the remote host may suffer from two cross-site scripting vulnerabilities due to its failure to sanitize user input to the 'error' parameter of the 'error.php' script and in 'libraries/auth/cookie.auth.lib.php'. A remote attacker may use these vulnerabilities to cause arbitrary HTML and script code to be executed in a user's browser within the context of the affected application.

Solution

Upgrade to phpMyAdmin 2.6.4-rc1 or later.

See Also

http://www.nessus.org/u?0e8e06c0

http://www.nessus.org/u?f133bb25

Plugin Details

Severity: Medium

ID: 19519

File Name: phpMyAdmin_264.nasl

Version: 1.18

Type: remote

Published: 2005/08/29

Updated: 2018/07/24

Dependencies: 17219

Risk Information

Risk Factor: Medium

VPR Score: 3.8

CVSS v2.0

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Required KB Items: www/phpMyAdmin, www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: false

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2005/07/19

Reference Information

CVE: CVE-2005-2869

BID: 14674, 14675

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990