Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. http://www.securityfocus.com/archive/1/archive/1/496842/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/496877/100/0/threaded http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability http://bugs.mysql.com/bug.php?id=27884 http://secunia.com/advisories/32072
The issue has been rated as having low security impact, as this can only be a security flaw when all following conditions are met: 1) A database contains untrusted third party data. 2) A site uses the mysql command line tool with the --html option. 3) The resulting HTML output is placed and viewed on a web site the attacker could use to launch a cross-site-scripting attack.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1289 https://rhn.redhat.com/errata/RHSA-2009-1289.html
This issue does affect Red Hat Enterprise Linux 3 and 4, however the Security Response Team has rated it has having low impact and may be addressed in a future update.
This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:1461 https://rhn.redhat.com/errata/RHSA-2009-1461.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html