===================================================================== CERT-Renater Note d'Information No. 2010/VULN487 _____________________________________________________________________ DATE : 02/12/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running phpMyAdmin versions 3.x prior to 3.3.8.1, 2.11.x prior to 2.11.11.1. ====================================================================== http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php ______________________________________________________________________ PMASA-2010-8 Announcement-ID: PMASA-2010-8 Date: 2010-11-29 Summary XSS attack in database search. Description It was possible to conduct a XSS attack using spoofed request on the db search script. Severity We consider this vulnerability to be non critical. Affected Versions For 3.x: versions before 3.3.8.1 are affected. For 2.11.x: versions before 2.11.11.1 are affected. Solution Upgrade to phpMyAdmin 3.3.8.1 or newer, or 2.11.11.1 if using the 2.11.x family. You can also apply the patch listed below. References Thanks to Alexander Opitz for reporting this issue. Assigned CVE ids: CVE-2010-4329 Patches Following commits have been made to fix this issue: * 4341818d73d454451f024950a4ce0141608ac7f8 * e1f4901ffc400b6d2df15eac0ba5015fe48a27c4 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================