Hi devs,
I requested a CVE id to be assigned for PMASA-2007-6, which is quoted below. If I have spotted it correctly, I see not much use of CVE id's within phpMyAdmin. It would be very helpful for security workers in e.g. distributions if the PMASA advisories would mention the corresponding CVE numbers when such a number is or becomes available. It could also have a place in the relevant changelog entry that fixes the problem.
Would you consider doing that?
Thanks Thijs (also on behalf of the Debian security team)
---------------------------- Original Message ---------------------------- Subject: Re: CVE for phpMyAdmin PMASA-2007-6 From: "Steven M. Christey" coley@linus.mitre.org Date: Mon, October 22, 2007 22:19 To: "Thijs Kinkhorst" thijs@debian.org Cc: cve@mitre.org --------------------------------------------------------------------------
Hello,
Use CVE-2007-5589
- Steve
====================================================== Name: CVE-2007-5589 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5589 Reference: MISC:http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html Reference: CONFIRM:http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_... Reference: CONFIRM:http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revisio... Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-6 Reference: FRSIRT:ADV-2007-3535 Reference: URL:http://www.frsirt.com/english/advisories/2007/3535 Reference: SECUNIA:27246 Reference: URL:http://secunia.com/advisories/27246
Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI.