PMASA-2011-14
Announcement-ID: PMASA-2011-14
Date: 2011-09-14
Summary
Multiple XSS.
Description
Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities.
Severity
We consider these vulnerabilities to be serious.
Mitigation factor
An attacker must be logged in via phpMyAdmin to exploit this problem.
Affected Versions
Versions 3.4.0 to 3.4.4 were found vulnerable.
Solution
Upgrade to phpMyAdmin 3.4.5 or apply the related patches listed below.
References
The first issue was found by Brad Bernard (iunfollow.com). The second issue was found by Nils Juenemann (https://twitter.com/#!/totally_unknown.)
Patches
The following commits have been made to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.