CVE-2007-1395

NameCVE-2007-1395
DescriptionIncomplete blacklist vulnerability in index.php in phpMyAdmin 2.8.0 through 2.9.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary JavaScript or HTML in a (1) db or (2) table parameter value followed by an uppercase </SCRIPT> end tag, which bypasses the protection against lowercase </script>.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1370-1, DSA-1370-2

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)bullseye4:5.0.4+dfsg2-2+deb11u1fixed
bookworm4:5.2.1+dfsg-1fixed
sid, trixie4:5.2.2-really5.2.2+20241130+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsourcesarge4:2.6.2-3sarge5DSA-1370-2
phpmyadminsourceetch4:2.9.1.1-4DSA-1370-2
phpmyadminsource(unstable)4:2.10.0.2-1medium

Notes

[sarge] - phpmyadmin <not-affected> (Vulnerable code not present)
https://www.phpmyadmin.net/security/PMASA-2007-2/
https://github.com/phpmyadmin/phpmyadmin/commit/6215e201eb98226837954059f6c99c9aa1c55a9a

Search for package or bug name: Reporting problems