Vulnerability Name: CVE-2010-3056 (CCN-61279) Assigned: 2010-08-20 Published: 2010-08-20 Updated: 2011-01-28 Summary: Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) db_search.php, (2) db_sql.php, (3) db_structure.php, (4) js/messages.php, (5) libraries/common.lib.php, (6) libraries/database_interface.lib.php, (7) libraries/dbi/mysql.dbi.lib.php, (8) libraries/dbi/mysqli.dbi.lib.php, (9) libraries/db_info.inc.php, (10) libraries/sanitizing.lib.php, (11) libraries/sqlparser.lib.php, (12) server_databases.php, (13) server_privileges.php, (14) setup/config.php, (15) sql.php, (16) tbl_replace.php, and (17) tbl_sql.php. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): Access Complexity (AC): Authentication (Au): Impact Metrics: Confidentiality (C): Integrity (I): Availibility (A):
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): Access Complexity (AC): Athentication (Au): Impact Metrics: Confidentiality (C): Integrity (I): Availibility (A):
Vulnerability Type: CWE-79 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2010-3056 FEDORA-2010-13249 FEDORA-2010-13258 Customised phpMyAdmin upgraded to 2.11.11 phpMyAdmin Cross-Site Scripting Vulnerabilities 41000 TYPO3 phpMyAdmin Extension Multiple Cross-Site Scripting Vulnerabilities 41185 Moodle phpMyAdmin Module Multiple Vulnerabilities DSA-2097 phpmyadmin -- insufficient input sanitising MDVSA-2010:163 MDVSA-2010:164 Several XSS vulnerabilities were found in the code http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php 42584 phpMyAdmin Multiple Cross Site Scripting Vulnerabilities ADV-2010-2223 ADV-2010-2231 http://yehg.net/lab/pr0js/advisories/phpmyadmin/%5Bphpmyadmin-3.3.5%5D_cross_site_scripting%28XSS%29 https://bugzilla.redhat.com/show_bug.cgi?id=625877 phpmyadmin-fieldstr-xss(61279) Vulnerable Configuration: Configuration 1 :cpe:/a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.4.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.6.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.7.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.7.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.8.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.2:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.3:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.4:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.5:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.6:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:2.11.10.0:*:*:*:*:*:*:* Configuration 2 :cpe:/a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.0.0:alpha:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.0.0:beta:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.0.0:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.0.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.0.1:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.0.1.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.0:beta1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.3:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.3.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.3.2:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.4:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.4:rc2:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.5:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.1.5:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.2.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.2.0:beta1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.2.0:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.2.1:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.2.1:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.2.2:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.2.2:rc1:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:* Vulnerability Name: CVE-2010-3056 (CCN-61483) Assigned: 2010-08-30 Published: 2010-08-30 Updated: 2010-08-30 Summary: phpMyAdmin is vulnerable to cross-site scripting, caused by improper validation of unspecified input returned by debug messages used by PHP backtrace. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): Access Complexity (AC): Authentication (Au): Impact Metrics: Confidentiality (C): Integrity (I): Availibility (A):
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): Access Complexity (AC): Athentication (Au): Impact Metrics: Confidentiality (C): Integrity (I): Availibility (A):
Vulnerability Consequences: Gain Access References: Source: MITRECVE-2010-3056 Customised phpMyAdmin upgraded to 2.11.11 phpMyAdmin Cross-Site Scripting Vulnerabilities phpMyAdmin Backtrace Cross-Site Scripting Vulnerability Moodle phpMyAdmin Module Multiple Vulnerabilities phpmyadmin -- insufficient input sanitising phpMyAdmin XSS attack using debugging messages phpMyAdmin Multiple Cross Site Scripting Vulnerabilities phpMyAdmin Debug Backtrace Cross Site Scripting Vulnerability phpmyadmin-backtrace-xss(61483) Vulnerable Configuration: Configuration CCN 1 :cpe:/a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:* OR cpe:/a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:* AND cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:x86_64:*:*:*:*:* OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:* Oval Definitions BACK
phpmyadmin phpmyadmin 2.11.0
phpmyadmin phpmyadmin 2.11.1.0
phpmyadmin phpmyadmin 2.11.1.1
phpmyadmin phpmyadmin 2.11.1.2
phpmyadmin phpmyadmin 2.11.2.0
phpmyadmin phpmyadmin 2.11.2.1
phpmyadmin phpmyadmin 2.11.2.2
phpmyadmin phpmyadmin 2.11.3.0
phpmyadmin phpmyadmin 2.11.4.0
phpmyadmin phpmyadmin 2.11.5.0
phpmyadmin phpmyadmin 2.11.5.1
phpmyadmin phpmyadmin 2.11.5.2
phpmyadmin phpmyadmin 2.11.6.0
phpmyadmin phpmyadmin 2.11.7.0
phpmyadmin phpmyadmin 2.11.7.1
phpmyadmin phpmyadmin 2.11.8.0
phpmyadmin phpmyadmin 2.11.9.0
phpmyadmin phpmyadmin 2.11.9.1
phpmyadmin phpmyadmin 2.11.9.2
phpmyadmin phpmyadmin 2.11.9.3
phpmyadmin phpmyadmin 2.11.9.4
phpmyadmin phpmyadmin 2.11.9.5
phpmyadmin phpmyadmin 2.11.9.6
phpmyadmin phpmyadmin 2.11.10.0
phpmyadmin phpmyadmin 3.0.0
phpmyadmin phpmyadmin 3.0.0 alpha
phpmyadmin phpmyadmin 3.0.0 beta
phpmyadmin phpmyadmin 3.0.0 rc1
phpmyadmin phpmyadmin 3.0.1
phpmyadmin phpmyadmin 3.0.1 rc1
phpmyadmin phpmyadmin 3.0.1.1
phpmyadmin phpmyadmin 3.1.0
phpmyadmin phpmyadmin 3.1.0 beta1
phpmyadmin phpmyadmin 3.1.1
phpmyadmin phpmyadmin 3.1.1 rc1
phpmyadmin phpmyadmin 3.1.2
phpmyadmin phpmyadmin 3.1.2 rc1
phpmyadmin phpmyadmin 3.1.3
phpmyadmin phpmyadmin 3.1.3 rc1
phpmyadmin phpmyadmin 3.1.3.1
phpmyadmin phpmyadmin 3.1.3.2
phpmyadmin phpmyadmin 3.1.4
phpmyadmin phpmyadmin 3.1.4 rc2
phpmyadmin phpmyadmin 3.1.5
phpmyadmin phpmyadmin 3.1.5 rc1
phpmyadmin phpmyadmin 3.2.0
phpmyadmin phpmyadmin 3.2.0 beta1
phpmyadmin phpmyadmin 3.2.0 rc1
phpmyadmin phpmyadmin 3.2.1
phpmyadmin phpmyadmin 3.2.1 rc1
phpmyadmin phpmyadmin 3.2.2
phpmyadmin phpmyadmin 3.2.2 rc1
phpmyadmin phpmyadmin 3.3.0.0
phpmyadmin phpmyadmin 3.3.1.0
phpmyadmin phpmyadmin 3.3.2.0
phpmyadmin phpmyadmin 3.3.3.0
phpmyadmin phpmyadmin 3.3.4.0
phpmyadmin phpmyadmin 3.3.5.0
phpmyadmin phpmyadmin 3.3.5.0
phpmyadmin phpmyadmin 3.3.5.1
mandrakesoft mandrake linux corporate server 4.0
mandrakesoft mandrake linux corporate server 4.0
debian debian linux 5.0
Denotes that component is vulnerable