Advisories ยป MGASA-2014-0495

Updated phpmyadmin packages fix security vulnerabilities

Publication date: 26 Nov 2014
Modification date: 26 Nov 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-8958 , CVE-2014-8959 , CVE-2014-8960 , CVE-2014-8961

Description

Updated phpmyadmin package fixes security vulnerabilities:

In phpMyAdmin before 4.1.14.7, with a crafted database, table or column name
it is possible to trigger an XSS attack in the table browse page, with a
crafted ENUM value it is possible to trigger XSS attacks in the table print
view and zoom search pages, and with a crafted value for font size it is
possible to trigger an XSS attack in the home page (CVE-2014-8958).

In phpMyAdmin before 4.1.14.7, in the GIS editor feature, a parameter
specifying the geometry type was not correcly validated, opening the door to
a local file inclusion attack (CVE-2014-8959).

In phpMyAdmin before 4.1.14.7, with a crafted file name it is possible to
trigger an XSS in the error reporting page (CVE-2014-8960).

In phpMyAdmin before 4.1.14.7, in the error reporting feature, a parameter
specifying the file was not correctly validated, allowing the attacker to
derive the line count of an arbitrary file (CVE-2014-8961).
                

References

SRPMS

4/core

3/core