FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpmyadmin -- multiple XSS and a man-in-the-middle vulnerability

Affected packages
4.5.0 <= phpmyadmin < 4.5.5.1

Details

VuXML ID f682a506-df7c-11e5-81e4-6805ca0b3d42
Discovery 2016-02-29
Entry 2016-03-01

The phpMyAdmin development team reports:

XSS vulnerability in SQL parser.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

By sending a specially crafted URL as part of the HOST header, it is possible to trigger an XSS attack.

A weakness was found that allows an XSS attack with Internet Explorer versions older than 8 and Safari on Windows using a specially crafted URL.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

Using a crafted parameter value, it is possible to trigger an XSS attack in user accounts page.

Using a crafted parameter value, it is possible to trigger an XSS attack in zoom search page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

With a crafted table/column name it is possible to trigger an XSS attack in the database normalization page.

With a crafted parameter it is possible to trigger an XSS attack in the database structure page.

With a crafted parameter it is possible to trigger an XSS attack in central columns page.

We consider this vulnerability to be non-critical.

Vulnerability allowing man-in-the-middle attack on API call to GitHub.

A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.

We consider this vulnerability to be serious.

References

CVE Name CVE-2016-2559
CVE Name CVE-2016-2560
CVE Name CVE-2016-2561
CVE Name CVE-2016-2562
URL https://www.phpmyadmin.net/security/PMASA-2016-10/
URL https://www.phpmyadmin.net/security/PMASA-2016-11/
URL https://www.phpmyadmin.net/security/PMASA-2016-12/
URL https://www.phpmyadmin.net/security/PMASA-2016-13/