A cross-site scripting (XSS) flaw was found in the way phpMyAdmin, a tool to handle the administration of MySQL over the World Wide Web, sanitized certain input when displaying GIS visualization(s). A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution in the context of the phpMyAdmin user's session. References: [1] http://seclists.org/fulldisclosure/2013/Apr/100 Relevant upstream patch: [2] https://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5a
This issue affects the versions of the phpMyAdmin package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update. -- This issue did NOT affect the version of the phpMyAdmin package, as shipped with Fedora EPEL-5 (the affected functionality was not present in that version yet).
Created phpMyAdmin tracking bugs for this issue Affects: fedora-all [bug 950108] Affects: epel-6 [bug 950109]
The CVE identifier of CVE-2013-1937 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/04/09/13
phpMyAdmin-3.5.8-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.5.8-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.5.8-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
External Reference: http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.php
phpMyAdmin-3.5.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin3-3.5.8-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.