Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                  Note d'Information No. 2025/VULN037

_____________________________________________________________________

DATE                : 23/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running phpMyAdmin versions prior
                                       to 5.2.2.

=====================================================================
https://www.phpmyadmin.net/security/PMASA-2025-1/
https://www.phpmyadmin.net/security/PMASA-2025-2/
https://www.phpmyadmin.net/security/PMASA-2025-3/
_____________________________________________________________________

PMASA-2025-1

Announcement-ID: PMASA-2025-1

Date: 2025-01-20
Summary

XSS when checking tables
Description

An XSS vulnerability has been discovered with the phpMyAdmin "Check
tables" feature. A specially–crafted table or database name could
be used to trigger an XSS attack.


Severity

We consider this vulnerability to be of moderate severity.


Affected Versions

phpMyAdmin versions 5.x prior to 5.2.2 are affected.


Solution

Upgrade to phpMyAdmin 5.2.2 or newer or apply patch listed
below.


References

Thanks to bluebird for reporting this vulnerability.

Assigned CVE ids: Not yet assigned

CWE ids: CWE-661


Patches

The following commits have been made to fix this issue:

    a45efd0eb9415240480adeefc587158c766bc4a0


More information

For further information and in case of questions, please contact
the phpMyAdmin team. Our website is phpmyadmin.net.

_____________________________________________________________________


PMASA-2025-2

Announcement-ID: PMASA-2025-2

Date: 2025-01-20


Summary

XSS on Insert page


Description

An XSS vulnerability has been discovered with the phpMyAdmin
"Insert" tab.


Severity

We consider this vulnerability to be of moderate severity.


Affected Versions

phpMyAdmin versions 5.x prior to 5.2.2 are affected.


Solution

Upgrade to phpMyAdmin 5.2.2 or newer or apply patch listed
below.


References

Thanks to Kamil Tekiela for reporting this vulnerability.

Assigned CVE ids: Not yet assigned

CWE ids: CWE-661


Patches

The following commits have been made to fix this issue:

    236eeec56224f59ae6f69e4a9c555d513ac3fa3b


More information

For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.

_____________________________________________________________________


PMASA-2025-3

Announcement-ID: PMASA-2025-3

Date: 2025-01-21


Summary

glibc/iconv Vulnerability (CVE-2024-2961)


Description

There was a vulnerability found in glibc/iconv that could potentially
affect phpMyAdmin under specific circumstances.

By default, phpMyAdmin is not vulnerable, but since we use iconv and a
potential exploit could possibly exist, we are publishing this PMASA
to include the full details we have determined.

The PHP group has posted a statement about the vulnerability.


Severity

In the default configuration, phpMyAdmin is not affected, so we do not
consider this to be severe.


Mitigation factor

The following PHP requirements must be met for a system to be
vulnerable: * Glibc security updates from the distribution have not
been installed * And the iconv extension is loaded * And the
vulnerable character set has not been removed from
gconv-modules-extra.conf In combination, the following phpMyAdmin
requirements must also be met for the attack to potentially
succeed: * The user must be authenticated to use the export
feature * $cfg['RecodingEngine'] must be set to 'iconv' or to
'auto'. The default value is 'auto', which uses the iconv
extension if available * The charset 'ISO-2022-CN-EXT' must
be included in $cfg['AvailableCharsets'], which is not included
by default. * Then choosing to convert to the character set
ISO-2022-CN-EXT before exporting to a file


Affected Versions

phpMyAdmin versions 5.x prior to 5.2.2 are affected.


Solution

Upgrade to phpMyAdmin 5.2.2 or newer or apply patch listed below.


References

Assigned CVE ids: CVE-2024-2961

CWE ids: CWE-661


Patches

The following commits have been made to fix this issue:

    e6f08a8682ab6a50be973645d31d90c8830bf1ba


More information

For further information and in case of questions, please contact
the phpMyAdmin team. Our website is phpmyadmin.net.

	
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================