phpMyAdmin Bringing MySQL to the web

PMASA-2008-9

Announcement-ID: PMASA-2008-9

Date: 2008-10-30

Summary

XSS on a Designer component

Description

A logged-in user can be subject of cross site scripting attack via the pmd_pdf.php script.

Severity

We consider this vulnerability to be serious.

Affected Versions

For 2.11.x: versions before 2.11.9.3.
For 3.0.x: versions before 3.0.1.1.

Solution

Upgrade to phpMyAdmin 2.11.9.3 or 3.0.1.1.

References

Advisory: http://www.securityfocus.com/bid/31928/info

Assigned CVE ids: CVE-2008-4775

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

• 600a2ca21bc8b40742fd0a919a6b06a477548647

The following commits have been made on the 2.11 branch to fix this issue:

• 625e9f2e93671f9e4a9086b8d6c8111f70ffcc3d

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.