Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page. This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages. Affected Versions: Versions 4.5.x (prior to 4.5.5.1) are affected. Fixed in phpMyAdmin 4.5.5.1. Upstream patch: https://github.com/phpmyadmin/phpmyadmin/commit/3a6a9a807d99371ee126635e1a505fc1fe0df32c External References: https://www.phpmyadmin.net/security/PMASA-2016-10/
Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 1313698] Affects: epel-all [bug 1313699]
Created phpMyAdmin4 tracking bugs for this issue: Affects: epel-5 [bug 1313700]
phpMyAdmin-4.0.10.15-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
php-udan11-sql-parser-3.4.0-1.fc23, phpMyAdmin-4.5.5.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.4.15.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin4-4.0.10.15-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.