SB2012091810 - Cross-site scripting in phpmyadmin (Alpine package)
Published: September 18, 2012
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2012-4345)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via (1) a crafted table name during table creation, or a (2) Empty link or (3) Drop link for a crafted table name. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=080d869277ef4c08da8bf4b6633ffcb8bbdaaec5
- https://git.alpinelinux.org/aports/commit/?id=150e91246c0613c04e483429bf8209636988394c
- https://git.alpinelinux.org/aports/commit/?id=f64688a02406890fd3c057b24e5fa2e0dd113c64
- https://git.alpinelinux.org/aports/commit/?id=03250c1b50f9d9f705d454864045a65c91a2d346