Updated phpmyadmin package fixes security vulnerabilities
Publication date: 05 Aug 2014Modification date: 05 Aug 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-4955 , CVE-2014-4986 , CVE-2014-4987
Description
In phpMyAdmin before 4.1.14.2, when navigating into the database triggers
page, it is possible to trigger an XSS with a crafted trigger name
(CVE-2014-4955).
In phpMyAdmin before 4.1.14.2, with a crafted column name it is possible to
trigger an XSS when dropping the column in table structure page. With a
crafted table name it is possible to trigger an XSS when dropping or
truncating the table in table operations page (CVE-2014-4986).
In phpMyAdmin before 4.1.14.2, An unpriviledged user could view the MySQL
user list and manipulate the tabs displayed in phpMyAdmin for them
(CVE-2014-4987).
References
- https://bugs.mageia.org/show_bug.cgi?id=13766
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4955
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4986
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4987
SRPMS
4/core
- phpmyadmin-4.1.14.2-1.mga4
3/core
- phpmyadmin-4.1.14.2-1.mga3