Bugzilla – Bug 902154
VUL-0: phpMyAdmin: XSS vulnerabilities in SQL debug output and server monitor page.
Last modified: 2014-11-20 19:52:01 UTC
http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_4.0.10.5__4.1.14.6_and_4.2.10.1_are_released Tue, 21 Oct 2014 14:50:14 GMT Welcome to phpMyAdmin 4.0.10.5, 4.1.14.6 and 4.2.10.1, which contain security fixes. http://www.phpmyadmin.net/home_page/security/PMASA-2014-12.php Announcement-ID: PMASA-2014-12 Date: 2014-10-21 Summary: XSS vulnerabilities in SQL debug output and server monitor page. With a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and analysing executed queries. Severity Considered non-critical. Logged in user required. Developer option, disabled by default, expected to be disabled in production environments. affects 4.0.x (prior to 4.0.10.5) affects 4.1.x (prior to 4.1.14.6) - openSUSE:13.1:Update, openSUSE:12.3:Update 4.1.14.5 affects 4.2.x (prior to 4.2.10.1) - openSUSE:13.2 4.2.9.1
SR to openSUSE:Factory: https://build.opensuse.org/request/show/257927 MR for 12.3 and 13.1: https://build.opensuse.org/request/show/257928 MR for 13.2: https://build.opensuse.org/request/show/257930
openSUSE-SU-2014:1347-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 902154 CVE References: CVE-2014-8326 Sources used: openSUSE 13.1 (src): phpMyAdmin-4.1.14.6-20.1 openSUSE 12.3 (src): phpMyAdmin-4.1.14.6-1.28.1
Updates released for 12.3 and 13.1. 13.2 was release with 4.2.10.1.