Bugzilla – Bug 824306
VUL-0: phpMyAdmin: CVE-2013-3742: XSS due to unescaped HTML output in Create View page.
Last modified: 2013-06-12 16:29:25 UTC
Public via PMASA-2013-6. http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php PMASA-2013-6 ------------ Announcement-ID: PMASA-2013-6 Date: 2013-06-05 Summary: XSS due to unescaped HTML output in Create View page. Description: When creating a view with a crafted name and an incorrect CREATE statement, it is possible to trigger an XSS. Severity: We consider this vulnerability to be non critical. Mitigation factor: This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form. Affected Versions: Versions 4.0.x are affected. Solution: Upgrade to phpMyAdmin 4.0.3 or newer, or apply the patch listed below. References: Thanks to Maxim Rupp for reporting this issue. Assigned CVE ids: CVE-2013-3742 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3742 CWE ids: CWE-661 CWE-79 http://cwe.mitre.org/data/definitions/661.html http://cwe.mitre.org/data/definitions/79.html Patches: The following commits have been made to fix this issue: https://github.com/phpmyadmin/phpmyadmin/commit/9b3551601ce714adb5e3f428476052f0ec6093bf
bugbot adjusting priority
fixed with update to 4.0.3