Bringing MySQL to the web

PMASA-2012-1

Announcement-ID: PMASA-2012-1

Date: 2012-02-18

Summary

XSS in replication setup.

Description

It was possible to conduct XSS using a crafted database name.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

The victim would have to willingly click on a database name which clearly shows a possible XSS.

Affected Versions

Versions 3.4.x are affected.

Solution

Upgrade to phpMyAdmin 3.4.10.1 or newer or apply patch listed below.

References

Thanks to Jakub Gałczyk (http://hauntit.blogspot.com) for reporting this issue.

Assigned CVE ids: CVE-2012-1190

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.