phpMyAdmin 'db' Parameter Stored Cross Site Scripting Vulnerability

Published: 2011-02-23 11:24:37

CVSS Base Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N

Detection Type:
Remote Vulnerability

Impact:
Successful exploitation will allow attackers to plant XSS backdoors and inject arbitrary SQL statements via crafted XSS payloads.

Affected Versions:
phpMyAdmin versions 3.4.x before 3.4.0 beta 3

Technical Details:
The flaw is caused by improper validation of user-supplied input passed in the 'db' parameter to 'index.php', which allows attackers to execute arbitrary HTML and script code on the web server.

Recommendations:
Upgrade to phpMyAdmin version 3.4.0 beta 3 or later.

Summary:
The host is running phpMyAdmin and is prone to Cross-Site Scripting vulnerability.

Solution Type:
Vendor Patch

References:

http://packetstormsecurity.org/files/view/97906/phpmyadmin34-xss.txt
http://bl0g.yehg.net/2011/01/phpmyadmin-34x-340-beta-2-stored-cross.html
http://www.phpmyadmin.net/home_page/downloads.php

Search
Severity
Medium
CVSS Score
4.3

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.