CVE-2014-8958
https://notcve.org/view.php?id=CVE-2014-8958
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.0.x anterior a 4.0.10.6, 4.1.x anterior a 4.1.14.7, y 4.2.x anterior a 4.2.12 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de (1) una base de datos manipulada, (2) una tabla manipulada o (3) un nombre de columna manipulado que se maneja indebidamente durante el renderazación de la página del navegador de tablas; un valor ENUM manipulado que se maneja indebidamente durante la renderización de (4) la visualización de la impresión de tablas o (5) la página de búsqueda del zoom; o (6) una cookie pma_fontsize manipulada que se maneja indebidamente durante la renderización de la página de inicio. • http://lists.opensuse.org/opensuse-updates/2014-12/msg00017.html http://www.debian.org/security/2015/dsa-3382 http://www.mandriva.com/security/advisories?name=MDVSA-2014:228 http://www.phpmyadmin.net/home_page/security/PMASA-2014-13.php http://www.securityfocus.com/bid/71243 https://github.com/phpmyadmin/phpmyadmin/commit/1bc04ec95038f2356ad33752090001bf1c047208 https://github.com/phpmyadmin/phpmyadmin/commit/2a3b7393d1d5a8ba0543699df94a08a0f5728fe0 https://github.com/phpmyadmin/phpmyadmin/commit/2ffdbf2d7daa0b92541d8b754e2afac55 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-8959
https://notcve.org/view.php?id=CVE-2014-8959
Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter. Vulnerabilidad de salto de directorio en libraries/gis/GIS_Factory.class.php en el editor GIS en phpMyAdmin 4.0.x anterior a 4.0.10.6, 4.1.x anterior a 4.1.14.7, y 4.2.x anterior a 4.2.12 permite a usuarios remotos autenticados incluir y ejecutar ficheros locales arbitrarios a través de un parámetro del tipo 'geometría' manipulado. • http://lists.opensuse.org/opensuse-updates/2014-12/msg00017.html http://www.mandriva.com/security/advisories?name=MDVSA-2014:228 http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php http://www.securityfocus.com/bid/71247 https://github.com/phpmyadmin/phpmyadmin/commit/80cd40b6687a6717860d345d6eb55bef2908e961 https://security.gentoo.org/glsa/201505-03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2014-8326
https://notcve.org/view.php?id=CVE-2014-8326
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.5, 4.1.x before 4.1.14.6, and 4.2.x before 4.2.10.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name, related to the libraries/DatabaseInterface.class.php code for SQL debug output and the js/server_status_monitor.js code for the server monitor page. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.0.x anterior a 4.0.10.5, 4.1.x anterior a 4.1.14.6, y 4.2.x anterior a 4.2.10.1 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre manipulado de (1) base de datos o (2) tabla, relacionado con el código libraries/DatabaseInterface.class.php para las salidas de purificación de SQL y el código js/server_status_monitor.js para la página del monitor de servidores. • http://lists.opensuse.org/opensuse-updates/2014-11/msg00004.html http://www.phpmyadmin.net/home_page/security/PMASA-2014-12.php http://www.securityfocus.com/bid/70731 https://github.com/phpmyadmin/phpmyadmin/commit/7b8962dede7631298c81e2c1cd267b81f1e08a8c https://github.com/phpmyadmin/phpmyadmin/commit/bd68c54d1beeef79d237e8bfda44690834012a76 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-7217
https://notcve.org/view.php?id=CVE-2014-7217
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to libraries/TableSearch.class.php and libraries/Util.class.php. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.0.x anterior a 4.0.10.4, 4.1.x anterior a 4.1.14.5, y 4.2.x anterior a 4.2.9.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un valor ENUM manipulado que se maneja indebidamente durante la renderización de la página de (1) búsqueda de tablas o (2) estructura de tablas, relacionado con libraries/TableSearch.class.php y libraries/Util.class.php. • http://lists.opensuse.org/opensuse-updates/2014-10/msg00009.html http://secunia.com/advisories/61777 http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php http://www.securityfocus.com/bid/70252 https://github.com/phpmyadmin/phpmyadmin/commit/304fb2b645b36a39e03b954fdbd567173ebe6448 https://github.com/phpmyadmin/phpmyadmin/commit/c1a3f85fbd1a9569646e7cf1b791325ae82c7961 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-6300
https://notcve.org/view.php?id=CVE-2014-6300
Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. Vulnerabilidad de XSS en la implementación micro history en phpMyAdmin 4.0.x anterior a 4.0.10.3, 4.1.x anterior a 4.1.14.4, y 4.2.x anterior a 4.2.8.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios , y como consecuencia realizar un ataque de CSRF para crear una cuenta root, a través de una URL manipulada, relacionado con js/ajax.js. • http://lists.opensuse.org/opensuse-updates/2014-09/msg00032.html http://www.phpmyadmin.net/home_page/security/PMASA-2014-10.php http://www.securityfocus.com/bid/69790 https://github.com/phpmyadmin/phpmyadmin/commit/33b39f9f1dd9a4d27856530e5ac004e23b30e8ac https://security.gentoo.org/glsa/201505-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •