Bug 1067713 (CVE-2014-1879)

Summary: CVE-2014-1879 phpMyAdmin: XSS in import.php
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ccoleman, dmcphers, jialiu, jrusnack, lmeyer, mmcgrath, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20140205,reported=20140220,source=cve,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,fedora-all/phpMyAdmin=affected,epel-6/phpMyAdmin=affected,epel-5/phpMyAdmin3=affected,openshift-1/phpMyAdmin=affected,cwe=CWE-79
Fixed In Version: phpMyAdmin 4.1.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-31 13:36:51 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1067714, 1067715, 1067716, 1067717    
Bug Blocks:    

Description Vincent Danen 2014-02-20 17:46:32 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1879 to
the following vulnerability:

Name: CVE-2014-1879
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879
Assigned: 20140207
Reference: http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php
Reference: https://github.com/phpmyadmin/phpmyadmin/commit/968d5d5f486820bfa30af046f063b9f23304e14a

Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin
before 4.1.7 allows remote authenticated users to inject arbitrary web
script or HTML via a crafted filename in an import action.
Comment 2 Vincent Danen 2014-02-20 17:49:01 EST
Created phpMyAdmin tracking bugs for this issue:

Affects: fedora-all [bug 1067714]
Affects: epel-6 [bug 1067715]
Comment 3 Vincent Danen 2014-02-20 17:49:06 EST
Created phpMyAdmin3 tracking bugs for this issue:

Affects: epel-5 [bug 1067716]
Comment 4 Fedora Update System 2014-07-30 03:01:04 EDT
phpMyAdmin-4.2.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-07-30 03:02:35 EDT
phpMyAdmin-4.2.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-08-07 07:46:11 EDT
phpMyAdmin-4.0.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-10-09 15:55:11 EDT
phpMyAdmin4-4.0.10.3-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.