CVE-2014-4954

Published: 20 July 2014

Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page.

Priority

Status

Package	Release	Status
phpmyadmin Launchpad, Ubuntu, Debian	lucid	Not vulnerable
	precise	Not vulnerable
	trusty	Not vulnerable
	upstream	Released (4.2.6)
	utopic	Not vulnerable (4:4.2.6-1)
	Patches: upstream: https://github.com/phpmyadmin/phpmyadmin/commit/57475371a5b515c83bfc1bb2efcdf3ddb14787ed

References

https://github.com/phpmyadmin/phpmyadmin/commit/57475371a5b515c83bfc1bb2efcdf3ddb14787ed
http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php
https://www.cve.org/CVERecord?id=CVE-2014-4954
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.