Bringing MySQL to the web

PMASA-2009-5

Announcement-ID: PMASA-2009-5

Date: 2009-06-30

Summary

XSS vulnerability

Description

It was possible to conduct an XSS attack via a crafted SQL bookmark.

Severity

We consider this vulnerability to be serious.

Affected Versions

For 2.11.x: versions are not affected.
For 3.x: All 3.x releases on which the "bookmarks" feature is active are affected.

Solution

Upgrade to phpMyAdmin 3.2.0.1.

References

We wish to thank Sven Vetsch/Disenchant for informing us in a responsible manner. His site is http://disenchant.ch.

Assigned CVE ids: CVE-2009-2284

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.