Bug 733475 - (CVE-2011-3181) CVE-2011-3181 phpMyAdmin XSS flaw
CVE-2011-3181 phpMyAdmin XSS flaw
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 733477 733478 733479 733480
  Show dependency treegraph
Reported: 2011-08-25 15:07 EDT by Josh Bressers
Modified: 2016-03-04 06:44 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-09-13 17:31:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2011-08-25 15:07:42 EDT
From the upstream advisory:

Announcement-ID: PMASA-2011-13

Date: 2011-08-24
Multiple XSS in the Tracking feature.

Missing sanitization on the table, column and index names leads to XSS
vulnerabilities.  Severity

We consider this vulnerability to be serious.

Mitigation factor:
An attacker must be logged in via phpMyAdmin to exploit this problem.
Affected Versions

Versions 3.3.0 to are affected.

Upgrade to phpMyAdmin or 3.4.4 or apply the related patch listed
below.  References

This issue was found by Norman Hippert from The-Wildcat.de.

Assigned CVE ids: CVE-2011-3181

CWE ids: CWE-661 CWE-98
Comment 1 Josh Bressers 2011-08-25 15:13:21 EDT
Created phpMyAdmin tracking bugs for this issue

Affects: fedora-all [bug 733477]
Affects: epel-4 [bug 733478]
Affects: epel-5 [bug 733479]
Affects: epel-6 [bug 733480]
Comment 2 Robert Scheck 2011-08-25 16:19:21 EDT
Josh, you did a lookup mistake, I think. EPEL 4 and 5 are *not* affected,
because they ship phpMyAdmin 2.x, just EPEL 6 and all Fedora releases.

Note You need to log in before you can comment on or make changes to this bug.