phpMyAdmin < 2.6.4-RC1 XSS (deprecated)

Medium Nessus Network Monitor Plugin ID 3193

Synopsis

The remote host is vulnerable to a Cross-Site Scripting (XSS) attack

Description

The version of phpMyAdmin installed on the remote host may suffer from two cross-site scripting vulnerabilities due to its failure to sanitize user input to the 'error' parameter of the 'error.php' script and in 'libraries/auth/cookie.auth.lib.php'. A remote attacker may use these vulnerabilities to cause arbitrary HTML and script code to be executed in a user's browser within the context of the affected application.

Solution

Upgrade to version 2.6.4-RC1 or higher.

See Also

http://sourceforge.net/tracker/index.php?func=detail&amp;aid=1265740&amp;group_id=23067&amp;atid=377408

http://sourceforge.net/tracker/index.php?func=detail&amp;aid=1240880&amp;group_id=23067&amp;atid=377408

Plugin Details

Severity: Medium

ID: 3193

Family: CGI

Published: 2005/08/29

Modified: 2016/02/29

Dependencies: 9102

Nessus ID: 19519

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS3#E:H/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Reference Information

CVE: CVE-2005-2869

BID: 14674, 14675