Red Hat Bugzilla – Bug 870010
CVE-2012-5339 phpMyAdmin: Multiple XSS flaws due unescaped HTML output in Trigger, Procedure and Event pages (PMASA-2012-6)
Last modified: 2016-03-04 05:56:49 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5339 to the following vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.3 allow remote authenticated users to inject arbitrary web script or HTML via a crafted name of (1) an event, (2) a procedure, or (3) a trigger. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5339 [2] http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php [3] https://github.com/phpmyadmin/phpmyadmin/commit/6ea8fad3f999bfdf79eb6fe31309592bca54d611 [4] https://github.com/phpmyadmin/phpmyadmin/commit/cfd688d2512df9827a8ecc0412fc264fc5bcb186
The following updates have been created to correct this issue in phpMyAdmin package versions, as shipped with Fedora and Fedora EPEL: 1) phpMyAdmin-3.5.3-1.fc17 for Fedora 17, 2) phpMyAdmin-3.5.3-1.fc16 for Fedora 16, 3) phpMyAdmin-3.5.3-1.el6 for Fedora EPEL 6 4) phpMyAdmin3-3.5.3-1.el5 for Fedora EPEL 5. This issue did NOT affect the version of the phpMyAdmin package (2.X based) as shipped with Fedora EPEL 5.