Summary
The host is running phpMyAdmin and is prone to cross-site scripting vulnerability.
Impact
Successful exploitation will allow remote attackers to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site.
Impact Level: Application
Solution
Upgrade to phpMyAdmin version 3.4.6 or later,
For updates refer to http://www.phpmyadmin.net/home_page/downloads.php
Insight
The flaw is due to improper validation of user-supplied input via the 'Servers-0-verbose' parameter to setup/index.php, which allows attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Affected
phpMyAdmin versions 3.4.x before 3.4.6
References
- http://hauntit.blogspot.com/2011/09/stored-xss-in-phpmyadmin-345-all.html
- http://osvdb.org/show/osvdb/76711
- http://secunia.com/advisories/46431
- http://securitytracker.com/id/1026199
- http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
- http://xforce.iss.net/xforce/xfdb/70681
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2011-4064 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache Rave User Information Disclosure Vulnerability
- Annuaire PHP 'sites_inscription.php' Cross Site Scripting Vulnerability
- AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
- Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
- Apache Struts2 showcase namespace XSS Vulnerability