===================================================================== CERT-Renater Note d'Information No. 2012/VULN087 _____________________________________________________________________ DATE : 21/02/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running phpmyadmin versions 3.4.x prior to 3.4.10.1. ====================================================================== http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php _______________________________________________________________________ PMASA-2012-1 Announcement-ID: PMASA-2012-1 Date: 2012-02-18 Summary XSS in replication setup. Description It was possible to conduct XSS using a crafted database name. Severity We consider this vulnerability to be non critical. Mitigation factor The victim would have to willingly click on a database name which clearly shows a possible XSS. Affected Versions Versions 3.4.x are affected. Solution Upgrade to phpMyAdmin 3.4.10.1 or newer or apply patch listed below. References Thanks to Jakub Galczyk (http://hauntit.blogspot.com) for reporting this issue. Assigned CVE ids: CVE-2012-1190 CWE ids: CWE-661 CWE-79 Patches Following commits have been made to fix this issue: * 86073d532aed656550cb731aa5b4288b126ae7a6 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================