Detections
Analytics
phpMyAdmin 4.0.x < 4.0.10.5 / 4.1.x < 4.1.14.6 / 4.2.x < 4.2.10.1 Multiple XSS (PMASA-2014-12)
low Nessus Plugin ID 78738
Language:
Synopsis
The remote web server hosts a PHP application that is affected by multiple vulnerabilities.Description
According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.5, 4.1.x prior to 4.1.14.6, or 4.2.x prior to 4.2.10.1. It is, therefore, affected by the following cross-site scripting vulnerabilities :- The 'libraries/DatabaseInterface.class.php' script does not validate input to database and table names in SQL debug output before returning it to users.
- The 'js/server_status_monitor.js' script does not validate input to executed queries before they are viewed or analyzed.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to phpMyAdmin 4.0.10.5 / 4.1.14.6 / 4.2.10.1 or later, or apply the patches from the referenced links.See Also
http://www.phpmyadmin.net/home_page/security/PMASA-2014-12.php
http://www.nessus.org/u?1b0b4c16
http://www.nessus.org/u?58e25324
http://www.nessus.org/u?d6d9753b
http://www.nessus.org/u?4d81aa0b
Plugin Details
Severity: Low
ID: 78738
File Name: phpmyadmin_pmasa_2014_12.nasl
Version: 1.6
Type: remote
Family: CGI abuses : XSS
Published: 10/30/2014
Updated: 6/4/2024
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Low
Base Score: 3.5
Temporal Score: 3
Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N
Vulnerability Information
CPE: cpe:/a:phpmyadmin:phpmyadmin
Required KB Items: www/PHP, Settings/ParanoidReport, installed_sw/phpMyAdmin
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Patch Publication Date: 10/21/2014
Vulnerability Publication Date: 10/21/2014
Reference Information
CVE: CVE-2014-8326
BID: 70731