PhpMyAdmin 'db' Parameter Stored Cross Site Scripting Vulnerability Network Vulnerability

Summary

The host is running phpMyAdmin and is prone to Cross-Site Scripting vulnerability.

Impact

Successful exploitation will allow attackers to plant XSS backdoors and inject arbitrary SQL statements via crafted XSS payloads. Impact Level: Application

Solution

Upgrade to phpMyAdmin version 3.4.0 beta 3 or later. For updates refer to http://www.phpmyadmin.net/home_page/downloads.php

Insight

The flaw is caused by improper validation of user-supplied input passed in the 'db' parameter to 'index.php', which allows attackers to execute arbitrary HTML and script code on the web server.

Affected

phpMyAdmin versions 3.4.x before 3.4.0 beta 3

References

http://bl0g.yehg.net/2011/01/phpmyadmin-34x-340-beta-2-stored-cross.html
http://packetstormsecurity.org/files/view/97906/phpmyadmin34-xss.txt

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N

Related Vulnerabilities

AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
Apache ActiveMQ 'admin/queueBrowse' Cross Site Scripting Vulnerability
Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
Apache Tomcat TroubleShooter Servlet Installed
Apache Tomcat cal2.jsp Cross Site Scripting Vulnerability

phpMyAdmin 'db' Parameter Stored Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities