Announcement-ID: PMASA-2006-2
Date: 2006-05-12
XSS vulnerabilities
1. It was possible to conduct an XSS attack with a crafted lang or theme parameter.
2. The db parameter was also vulnerable to an XSS attack.
We consider these vulnerabilities to be serious.
[1] All 2.8.0.x releases before 2.8.0.4 are affected, previous versions are not.
[2] Some releases before 2.8.0.4 are affected (2.6.2 tested vulnerable).
Upgrade to phpMyAdmin 2.8.0.4.
We wish to thank Sven Vetsch/Disenchant for informing us in a responsible manner. His site is http://www.disenchant.ch.
Assigned CVE ids: CVE-2006-2031
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.