Bug 864917 (CVE-2014-1879) - VUL-0: CVE-2014-1879: phpMyAdmin: Self-XSS due to unescaped HTML output in import.
Summary: VUL-0: CVE-2014-1879: phpMyAdmin: Self-XSS due to unescaped HTML output in im...
Status: RESOLVED FIXED
Alias: CVE-2014-1879
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-20 16:54 UTC by Victor Pereira
Modified: 2014-03-08 17:38 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-20 16:54:33 UTC 
CVE-2014-1879

Self-XSS due to unescaped HTML output in import. When importing a file with crafted filename, it is possible to trigger an XSS. This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form. 

References:

http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php
Comment 1 Swamp Workflow Management 2014-02-20 23:02:16 UTC 
bugbot adjusting priority
Comment 2 Christian Wittmer 2014-02-26 23:10:46 UTC 
ongoing work
Comment 3 Christian Wittmer 2014-02-26 23:23:12 UTC 
Request created:
https://build.opensuse.org/request/show/224024
Comment 4 Swamp Workflow Management 2014-03-08 14:04:41 UTC 
openSUSE-SU-2014:0344-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 864917
CVE References: CVE-2014-1879
Sources used:
openSUSE 13.1 (src):    phpMyAdmin-4.1.8-4.1
openSUSE 12.3 (src):    phpMyAdmin-4.1.8-1.12.1
Comment 5 Marcus Meissner 2014-03-08 17:38:33 UTC 
released