CVE-2007-1395

NameCVE-2007-1395
DescriptionIncomplete blacklist vulnerability in index.php in phpMyAdmin 2.8.0 through 2.9.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary JavaScript or HTML in a (1) db or (2) table parameter value followed by an uppercase </SCRIPT> end tag, which bypasses the protection against lowercase </script>.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1370-1, DSA-1370-2
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)stretch4:4.6.6-4+deb9u1fixed
bullseye, sid4:4.9.5+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsourcesarge4:2.6.2-3sarge5DSA-1370-2
phpmyadminsourceetch4:2.9.1.1-4DSA-1370-2
phpmyadminsource(unstable)4:2.10.0.2-1medium

Notes

[sarge] - phpmyadmin <not-affected> (Vulnerable code not present)
https://www.phpmyadmin.net/security/PMASA-2007-2/
https://github.com/phpmyadmin/phpmyadmin/commit/6215e201eb98226837954059f6c99c9aa1c55a9a

Search for package or bug name: Reporting problems