CVE-2012-5368

phpMyAdmin 3.5.x < 3.5.3 - Cross-Site Scripting via Unencrypted JavaScript Fetch

Title source: llm

Description

phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code.

References (5)

Core 5

Core References

Patch, Vendor Advisory x_refsource_confirm

http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php

Patch x_refsource_confirm

https://github.com/phpmyadmin/phpmyadmin/commit/a547f3d3e2cf36c6a904fa3e053fd8bddd3fbbb0

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2012-11/msg00033.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/55939

Patch x_refsource_confirm

https://github.com/phpmyadmin/phpmyadmin/commit/50edafc0884aa15d0a1aa178089ac6a1ad2eb18a

View Patch ZIP pw:eip

Scores

EPSS 0.0043

EPSS Percentile 62.4%

Details

CWE

CWE-79

Status published

Products (6)

phpmyadmin/phpmyadmin 3.5.0.0

phpmyadmin/phpmyadmin 3.5.1.0

phpmyadmin/phpmyadmin 3.5.2.0

phpmyadmin/phpmyadmin 3.5.2.1

phpmyadmin/phpmyadmin 3.5.2.2

phpmyadmin/phpmyadmin 3.5 - 3.5.3Packagist

Published Oct 25, 2012

Tracked Since Feb 18, 2026