Описание
Security update for phpMyAdmin
This update for phpMyAdmin fixes multiple issues.
Security issues fixed:
- CVE-2018-12613: File inclusion and remote code execution attack (boo#1098751)
- CVE-2018-12581: XSS in Designer feature (boo#1098752)
This update to version 4.8.2 also contains number of upstream bug fixes and improvements.
Список пакетов
SUSE Package Hub for SUSE Linux Enterprise 12
Ссылки
- E-Mail link for openSUSE-SU-2018:1809-1
- SUSE Security Ratings
Описание
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
Затронутые продукты
Ссылки
- CVE-2018-12581
- SUSE Bug 1098752
Описание
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Затронутые продукты
Ссылки
- CVE-2018-12613
- SUSE Bug 1098735
- SUSE Bug 1098744
- SUSE Bug 1098751