[v3.0] phpmyadmin: multiple issues (CVE-2014-6300 CVE-2014-7217)
CVE-2014-6300 (PMASA-2014-10): XSRF/CSRF due to DOM based XSS in the
micro history feature
By deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature.
phpMyAdmin Team considers this vulnerability to be critical.
Affected Versions: 4.0.x (prior to 184.108.40.206), 4.1.x (prior to 220.127.116.11)
and 4.2.x (prior to 18.104.22.168)
Solution: upgrade to phpMyAdmin 22.214.171.124 or newer, or 126.96.36.199 or newer, or 188.8.131.52 or newer, or apply the patches published by the link below.
CVE-2014-7217 (PMASA-2014-11): XSS vulnerabilities in table search and
table structure pages
With a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages. This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.
Affected Versions: 4.0.x (prior to 184.108.40.206), 4.1.x (prior to 220.127.116.11)
and 4.2.x (prior to 18.104.22.168)
Solution: upgrade to phpMyAdmin 22.214.171.124 or newer, or 126.96.36.199 or newer, or 188.8.131.52 or newer, or apply the patch published by the link below.
(from redmine: issue id 3429, created on 2014-10-15, closed on 2014-10-23)
- parent #3426 (closed)
- Revision 7020a1c2 by Natanael Copa on 2014-10-21T09:53:27Z:
main/phpmyadmin: security upgrade to 4.2.10 (CVE-2014-6300,CVE-2014-7217) fixes #3429