The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence.

This is a version upgrade to phpMyAdmin 2.11.9.4 to fix various security bugs. (CVE-2008-2960, CVE-2008-3197, CVE-2008-1149, CVE-2008-1567, CVE-2008-1924, CVE-2008-4096, CVE-2008-4326, CVE-2008-5621, CVE-2008-5622)

Masako Oono discovered that phpMyAdmin, a web-based administration interface for MySQL, insufficiently sanitises input allowing a remote attacker to gather sensitive data through cross site scripting, provided that the user uses the Internet Explorer web browser.

This update also fixes a regression introduced in DSA 1641, that broke changing of the language and encoding in the login screen.

ID	Name	Product	Family	Severity
40107	openSUSE Security Update : phpMyAdmin (phpMyAdmin-442)	Nessus	SuSE Local Security Checks	high
35449	openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-5935)	Nessus	SuSE Local Security Checks	high
35010	Debian DSA-1675-1 : phpmyadmin - insufficient input sanitising	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2008-4326

medium

Tenable Plugins

high

high

medium