Bug 661335 (CVE-2010-4480) - CVE-2010-4480 phpMyAdmin: XSS vulnerability via crafted BBCode tag in error.php
Summary: CVE-2010-4480 phpMyAdmin: XSS vulnerability via crafted BBCode tag in error.php
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4480
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 662367
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-08 15:38 UTC by Vincent Danen
Modified: 2019-09-29 12:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-30 06:09:03 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2010-12-08 15:38:29 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4480 to
the following vulnerability:

Name: CVE-2010-4480
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4480
Assigned: 20101207
Reference: EXPLOIT-DB:15699
Reference: URL: http://www.exploit-db.com/exploits/15699
Reference: VUPEN:ADV-2010-3133
Reference: URL: http://www.vupen.com/english/advisories/2010/3133

error.php in PhpMyAdmin 3.3.8.1 and earlier allows remote attackers to
conduct cross-site scripting (XSS) attacks via a crafted BBcode tag
containing "@" characters, as demonstrated using "[a@url@page]".


No new version of phpMyAdmin is available as of yet, but the following looks like the relevant commit to fix this issue:

http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=aa6fec0532a9dd48d4e35831c1b1c9785c124dd7

Comment 1 Vincent Danen 2010-12-12 04:20:38 UTC
The upstream advisory is here:

http://www.phpmyadmin.net/home_page/security/PMASA-2010-9.php

Comment 2 Vincent Danen 2010-12-12 04:27:30 UTC
Created phpMyAdmin tracking bugs for this issue

Affects: fedora-all [bug 662367]

Comment 3 Robert Scheck 2011-05-29 20:54:24 UTC
May somebody please close this report? phpMyAdmin 3.3.10 is on all active
Fedora and EPEL branches available that have PHP >= 5.2.

Comment 4 Jan Lieskovsky 2011-05-30 06:09:03 UTC
(In reply to comment #3)
> May somebody please close this report? phpMyAdmin 3.3.10 is on all active
> Fedora and EPEL branches available that have PHP >= 5.2.

Done. Thanks Robert.


Note You need to log in before you can comment on or make changes to this bug.