Bug 908364 (CVE-2014-9219) - VUL-0: CVE-2014-9219: phpMyAdmin: XSS vulnerability in redirection mechanism
Summary: VUL-0: CVE-2014-9219: phpMyAdmin: XSS vulnerability in redirection mechanism
Status: RESOLVED FIXED
Alias: CVE-2014-9219
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Andreas Stieger
QA Contact: Security Team bot
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: CVSSv2:NVD:CVE-2014-9219:4.3:(AV:N/A...
Keywords:
Depends on: CVE-2014-8958 CVE-2014-8959 CVE-2014-8960 CVE-2014-8961
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-04 12:26 UTC by Andreas Stieger
Modified: 2019-05-01 16:34 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2014-12-04 12:26:31 UTC 
From http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php

> Announcement-ID: PMASA-2014-18
> Date: 2014-12-03
> Summary: XSS vulnerability in redirection mechanism.
> Description: With a crafted URL it was possible to trigger an XSS in the redirection mechanism in phpMyAdmin.
> 
> Severity:  We consider this vulnerability to be non critical.
> Affected Versions:  Versions 4.2.x (prior to 4.2.13.1) are affected.
> Solution: Upgrade to phpMyAdmin 4.2.13.1 or newer, or apply the patch listed below.
> Assigned CVE ids: CVE-2014-9219
> CWE ids: CWE-661 CWE-79
> Patches: 9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2
Comment 1 Andreas Stieger 2014-12-04 12:34:29 UTC 
Submitted to openSUSE:Factory https://build.opensuse.org/request/show/264015
Eric, as you seem to follow this package closely, would you like to look into the the maintenance update for 12.3 through 13.2?
Comment 2 Andreas Stieger 2014-12-04 13:43:59 UTC 
openSUSE:12.3:Update has 4.1.14.6, 
pending incident openSUSE:Maintenance:3228 to in 4.1.14.7,
fix is in 4.1.14.8

openSUSE:13.1:Update has 4.1.14.6,
pending incident openSUSE:Maintenance:3228 to in 4.1.14.7,
fix is in 4.1.14.8

openSUSE:13.2:Update has 4.2.10.1,
pending incident openSUSE:Maintenance:3228 to 4.2.12,
fix is in 4.2.13.1

Maintenance release request for the previous bug 906485, bug 906486 bug 906487 bug 906488 is https://build.opensuse.org/request/show/262564
Comment 3 Andreas Stieger 2014-12-04 19:25:30 UTC 
Please review maintenance request:
https://build.opensuse.org/request/show/264084
Comment 4 Bernhard Wiedemann 2014-12-05 21:00:25 UTC 
This is an autogenerated message for OBS integration:
This bug (908364) was mentioned in
https://build.opensuse.org/request/show/264212 13.2+13.1+12.3 / phpMyAdmin
Comment 5 Swamp Workflow Management 2014-12-15 12:05:32 UTC 
openSUSE-SU-2014:1636-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 908363,908364
CVE References: CVE-2014-9218,CVE-2014-9219
Sources used:
openSUSE 13.2 (src):    phpMyAdmin-4.2.13.1-8.1
openSUSE 13.1 (src):    phpMyAdmin-4.1.14.8-28.1
openSUSE 12.3 (src):    phpMyAdmin-4.1.14.8-1.38.1
Comment 6 Johannes Segitz 2015-02-24 13:15:24 UTC 
all updates released