CVE-2014-5273

NameCVE-2014-5273
DescriptionMultiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: remote)
Debian Bugs758536

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)jessie4:4.2.12-2+deb8u2fixed
jessie (security)4:4.2.12-2+deb8u3fixed
stretch4:4.6.6-4fixed
buster, sid4:4.6.6-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsource(unstable)4:4.2.7.1-1low758536
phpmyadminsourcesqueeze(not affected)
phpmyadminsourcewheezy(not affected)

Notes

[wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
[squeeze] - phpmyadmin <not-affected> (vulnerable code not present)
http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php
Most of the affected Javascript files do not exist on version 3.3 and 3.4.
Those that do do not contain the problematic code.

Search for package or bug name: Reporting problems