Vulnerability CVE-2014-5273

Vulnerability Name:

CVE-2014-5273 (CCN-95373)

Assigned:

2014-08-17

Published:

2014-08-17

Updated:

2014-10-16

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php.

CVSS v3 Severity:

2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2014-5273

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:1069

Source: SECUNIA
Type: UNKNOWN
60397

Source: CCN
Type: OSVDB ID: 110150
phpMyAdmin Table Browse Page Multiple Field Stored XSS

Source: CCN
Type: phpMyAdmin Security Advisory PMASA-2014-8
Multiple XSS vulnerabilities in browse table, ENUM editor, monitor, query charts and table relations pages

Source: CONFIRM
Type: Vendor Advisory
http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php

Source: CCN
Type: BID-69268
phpMyAdmin Multiple Cross Site Scripting Vulnerabilities

Source: XF
Type: UNKNOWN
phpmyadmin-cve20145273-xss(95373)

Source: CONFIRM
Type: Exploit, Patch
https://github.com/phpmyadmin/phpmyadmin/commit/2c45d7caa614afd71dbe3d0f7270f51ce5569614

Source: CONFIRM
Type: Exploit, Patch
https://github.com/phpmyadmin/phpmyadmin/commit/3ffc967fb60cf2910cc2f571017e977558c67821

Source: CONFIRM
Type: Exploit, Patch
https://github.com/phpmyadmin/phpmyadmin/commit/647c9d12e33a6b64e1c3ff7487f72696bdf2dccb

Source: CONFIRM
Type: Exploit, Patch
https://github.com/phpmyadmin/phpmyadmin/commit/90ddeecf60fc029608b972e490b735f3a65ed0cb

Source: CONFIRM
Type: Exploit, Patch
https://github.com/phpmyadmin/phpmyadmin/commit/cd9f302bf7f91a160fe7080f9a612019ef847f1c

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-5273

Vulnerable Configuration:

Configuration 1:

cpe:/a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:phpmyadmin:phpmyadmin:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.7:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.8:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.9:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.10:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.11:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.12:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.13:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.14:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.14.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.1.14.2:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:phpmyadmin:phpmyadmin:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.7:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:phpmyadmin:phpmyadmin:4.1.14.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20145273	V	CVE-2014-5273	2022-06-30
oval:org.opensuse.security:def:113141	P	phpMyAdmin-4.6.5.2-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106569	P	phpMyAdmin-4.6.5.2-1.1 on GA media (Moderate)	2021-10-01
oval:com.ubuntu.bionic:def:201452730000000	V	CVE-2014-5273 on Ubuntu 18.04 LTS (bionic) - medium.	2014-08-22
oval:com.ubuntu.xenial:def:201452730000000	V	CVE-2014-5273 on Ubuntu 16.04 LTS (xenial) - medium.	2014-08-22
oval:com.ubuntu.disco:def:201452730000000	V	CVE-2014-5273 on Ubuntu 19.04 (disco) - medium.	2014-08-22
oval:com.ubuntu.cosmic:def:201452730000000	V	CVE-2014-5273 on Ubuntu 18.10 (cosmic) - medium.	2014-08-21
oval:com.ubuntu.artful:def:20145273000	V	CVE-2014-5273 on Ubuntu 17.10 (artful) - medium.	2014-08-21
oval:com.ubuntu.trusty:def:20145273000	V	CVE-2014-5273 on Ubuntu 14.04 LTS (trusty) - medium.	2014-08-21
oval:com.ubuntu.bionic:def:20145273000	V	CVE-2014-5273 on Ubuntu 18.04 LTS (bionic) - medium.	2014-08-21
oval:com.ubuntu.xenial:def:20145273000	V	CVE-2014-5273 on Ubuntu 16.04 LTS (xenial) - medium.	2014-08-21
oval:com.ubuntu.cosmic:def:20145273000	V	CVE-2014-5273 on Ubuntu 18.10 (cosmic) - medium.	2014-08-21
oval:com.ubuntu.precise:def:20145273000	V	CVE-2014-5273 on Ubuntu 12.04 LTS (precise) - medium.	2014-08-21

BACK