PMASA-2011-9
Announcement-ID: PMASA-2011-9
Date: 2011-07-23
Summary
XSS in table Print view.
Description
The attacker must trick the victim into clicking a link that reaches phpMyAdmin's table print view script; one of the link's parameters is a crafted table name (the name containing Javascript code).
Severity
We consider this vulnerability to be minor.
Mitigation factor
The crafted table name must exist (the attacker must have access to create a table on the victim's server).
Affected Versions
The 3.4.3.1 and earlier versions are affected.
Solution
Upgrade to phpMyAdmin 3.3.10.3 or 3.4.3.2 or apply the related patch listed below.
References
This issue was found by Norman Hippert from The-Wildcat.de
Assigned CVE IDs: CVE-2011-2642
Patches
The following commits have been made to fix this issue:
The following commits have been made on the 3.3 branch to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.