phpMyAdmin 4.0.x < 126.96.36.199, 4.1.x < 188.8.131.52, 4.2.x < 184.108.40.206 CSRF (PMASA-2014-10)
Medium Nessus Network Monitor Plugin ID 8409
SynopsisThe remote web server contains a PHP application that is affected by a cross-site request forgery vulnerability.
DescriptionVersions of phpMyAdmin earlier than 220.127.116.11, 18.104.22.168, or 22.214.171.124 are unpatched for a DOM-based cross-site scripting vulnerability in the micro-history feature that could be leveraged for cross-site request forgery -- that is, by deceiving a logged-in user to click on a crafted URL, an attacker could perform remote code execution and in some cases, create a root account, via the user's account.
SolutionEither upgrade to phpMyAdmin 126.96.36.199, 188.8.131.52, 184.108.40.206 or later, or apply the patches from the referenced links.