With a specially crafted request, it is possible to trigger an XSS attack through the example OpenID authentication script.
Credit:
The original article can be found at: https://www.phpmyadmin.net/security/PMASA-2016-24/
Vulnerable Systems:
* Phpmyadmin 4.0.0
* Phpmyadmin 4.0.1
* Phpmyadmin 4.0.2
* Phpmyadmin 4.0.3
* Phpmyadmin 4.0.4
* Phpmyadmin 4.0.4.1
* Phpmyadmin 4.0.4.2
* Phpmyadmin 4.0.5
* Phpmyadmin 4.0.6
* Phpmyadmin 4.0.7
* Phpmyadmin 4.0.8
* Phpmyadmin 4.0.9
* Phpmyadmin 4.0.10
* Phpmyadmin 4.0.10.1
* Phpmyadmin 4.0.10.2
* Phpmyadmin 4.0.10.3
* Phpmyadmin 4.0.10.4
* Phpmyadmin 4.0.10.5
* Phpmyadmin 4.0.10.6
* Phpmyadmin 4.0.10.7
* Phpmyadmin 4.0.10.8
* Phpmyadmin 4.0.10.9
* Phpmyadmin 4.0.10.10
* Phpmyadmin 4.0.10.11
* Phpmyadmin 4.0.10.12
* Phpmyadmin 4.0.10.13
* Phpmyadmin 4.0.10.14
* Phpmyadmin 4.0.10.15
* Phpmyadmin 4.4.0
* Phpmyadmin 4.4.1
* Phpmyadmin 4.4.1.1
* Phpmyadmin 4.4.2
* Phpmyadmin 4.4.3
* Phpmyadmin 4.4.4
* Phpmyadmin 4.4.5
* Phpmyadmin 4.4.6
* Phpmyadmin 4.4.6.1
* Phpmyadmin 4.4.7
* Phpmyadmin 4.4.8
* Phpmyadmin 4.4.9
* Phpmyadmin 4.4.10
* Phpmyadmin 4.4.11
* Phpmyadmin 4.4.12
* Phpmyadmin 4.4.13
* Phpmyadmin 4.4.13.1
* Phpmyadmin 4.4.14.1
* Phpmyadmin 4.4.15
* Phpmyadmin 4.4.15.1
* Phpmyadmin 4.4.15.2
* Phpmyadmin 4.4.15.3
* Phpmyadmin 4.4.15.4
* Phpmyadmin 4.4.15.5
* Phpmyadmin 4.4.15.6
* Phpmyadmin 4.6.0
* Phpmyadmin 4.6.0
* Phpmyadmin 4.6.0
* Phpmyadmin 4.6.0
* Phpmyadmin 4.6.1
* Phpmyadmin 4.6.2
Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.
CVE Information:
CVE-2016-5731
Disclosure Timeline:
Publish Date : 2016-07-02
Last Update Date : 2016-07-05
Please enable JavaScript to view the comments powered by Disqus.
blog comments powered by