SB2011100805 - Cross-site scripting in phpPgAdmin
Published: October 8, 2011 Updated: November 7, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2011-3598)
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in phpPgAdmin before 5.0.3 when processing (1) a web page title, related to classes/Misc.php; or the (2) return_url or (3) return_desc parameter to display.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- http://freshmeat.net/projects/phppgadmin/releases/336969
- http://lists.fedoraproject.org/pipermail/package-announce/2011-October/067843.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-October/067846.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068009.html
- http://lists.opensuse.org/opensuse-updates/2012-04/msg00033.html
- http://osvdb.org/75997
- http://osvdb.org/75998
- http://secunia.com/advisories/46248
- http://secunia.com/advisories/46426
- http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%40free.fr&forum_name=phppgadmin-news
- http://www.openwall.com/lists/oss-security/2011/10/04/1
- http://www.openwall.com/lists/oss-security/2011/10/04/10
- http://www.securityfocus.com/bid/49914
- https://bugs.gentoo.org/show_bug.cgi?id=385505
- https://bugzilla.redhat.com/show_bug.cgi?id=743205
- https://github.com/phppgadmin/phppgadmin/commit/1df248203de055f97e092b50b1dd9643ccb73842