Lucene search

GitHub Advisory DatabaseGHSA-PW34-QF6C-84FC

HistoryMay 14, 2022 - 2:08 a.m.

phpMyAdmin XSS Vulnerability

2022-05-1402:08:30

CWE-79

GitHub Advisory Database

github.com

phpmyadmin

xss

vulnerability

versions 4.0.x

4.4.x

4.5.x

remote authenticated users

web script

html

table name

set value

search query

hostname

location header

software

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

45.7%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header.

Affected configurations

Vulners

Node

phpmyadminphpmyadminRange<4.5.4

phpmyadminphpmyadminRange<4.4.15.3

phpmyadminphpmyadminRange<4.0.10.13

VendorProductVersionCPE
phpmyadminphpmyadmin*cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
phpmyadmin	phpmyadmin	*	cpe:2.3:a:phpmyadmin:phpmyadmin::::::::

References

lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html

lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html

lists.opensuse.org/opensuse-updates/2016-02/msg00028.html

lists.opensuse.org/opensuse-updates/2016-02/msg00049.html

www.debian.org/security/2016/dsa-3627

www.phpmyadmin.net/home_page/security/PMASA-2016-3.php

github.com/advisories/GHSA-pw34-qf6c-84fc

github.com/phpmyadmin/phpmyadmin/commit/75a55824012406a08c4debf5ddb7ae41c32a7dbc

github.com/phpmyadmin/phpmyadmin/commit/aca42efa01917cc0fe8cfdb2927a6399ca1742f2

github.com/phpmyadmin/phpmyadmin/commit/edffb52884b09562490081c3b8666ef46c296418

nvd.nist.gov/vuln/detail/CVE-2016-2040

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

45.7%

JSON

Related for GHSA-PW34-QF6C-84FC