This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 808439 - (CVE-2012-1600) CVE-2012-1600 phpPgAdmin: XSS by displaying default list of functions in the database
CVE-2012-1600 phpPgAdmin: XSS by displaying default list of functions in the ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2012-03-30 07:39 EDT by Jan Lieskovsky
Modified: 2016-03-04 07:01 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-03-30 07:39:00 EDT
An cross-site scripting (XSS) flaw was found in the way phpPgAdmin, a web-based PostgreSQL database administration tool, performed presentation of the default list of functions, being present in the database, to the user upon request. A remote attacker could provide a specially-crafted web page, which once visited by an unsuspecting, valid phpPgAdmin user could lead to arbitrary HTML or web script execution in the context of logged in phpPgAdmin user.


Upstream patch:

CVE request:

CVE assignment:
Comment 1 Jan Lieskovsky 2012-03-30 07:43:49 EDT
This issue previously affected the versions of the phpPgAdmin package, as shipped with Fedora release of 15, 16, and as shipped with Fedora EPEL 5 and Fedora EPEL 6 versions.

Though the following phpPgAdmin have been scheduled already:
1) phpPgAdmin-5.0.4-1.fc15 for Fedora 15,
2) phpPgAdmin-5.0.4-1.fc16 for Fedora 16,
3) phpPgAdmin-5.0.4-1.el5  for Fedora EPEL 5,
4) phpPgAdmin-5.0.4-1.el6  for Fedora EPEL 6

to correct this deficiency. Once the above packages have passed the required level of testing, they will be pushed to the -stable repository for each of the particular releases above.

Note You need to log in before you can comment on or make changes to this bug.