SB2016122924 - Cross-site scripting in phpmyadmin (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2016-9856)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=3c5da8c4643bf2ec21c87b1c68b3ad2c149fc3b9
• https://git.alpinelinux.org/aports/commit/?id=b36b3560d17cde1b9b07e17906ea6b7612b04cce
• https://git.alpinelinux.org/aports/commit/?id=a35fc5fa306c1b74cf13f5f8a6624b47b0409a82