Description
Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js.
References (5)
Core 5
Core References
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201505-03
Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/33b39f9f1dd9a4d27856530e5ac004e23b30e8ac
Patch, Vendor Advisory x_refsource_confirm
http://www.phpmyadmin.net/home_page/security/PMASA-2014-10.php
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-09/msg00032.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/69790
Scores
EPSS
0.0027
EPSS Percentile
50.7%
Details
CWE
CWE-79
Status
published
Products (43)
opensuse/opensuse
12.3
opensuse/opensuse
13.1
phpmyadmin/phpmyadmin
4.0.0 (3 CPE variants)
phpmyadmin/phpmyadmin
4.0.1
phpmyadmin/phpmyadmin
4.0.2
phpmyadmin/phpmyadmin
4.0.3
phpmyadmin/phpmyadmin
4.0.4
phpmyadmin/phpmyadmin
4.0.4.1
phpmyadmin/phpmyadmin
4.0.4.2
phpmyadmin/phpmyadmin
4.0.5
... and 33 more
Published
Nov 08, 2014
Tracked Since
Feb 18, 2026