NVD Vulnerability Detail

CVE-2014-5273

Summary	Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php.
Publication Date	Aug. 22, 2014, 10:55 a.m.
Registration Date	Jan. 26, 2021, 3:14 p.m.
Last Update	Nov. 21, 2024, 11:11 a.m.

CVSS2.0 : LOW
Score	3.5
Vector	AV:N/AC:M/Au:S/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	単一
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3::::::

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-updates/2014-08/msg00045.html
2	http://lists.opensuse.org/opensuse-updates/2014-08/msg00045.html
3	http://secunia.com/advisories/60397
4	http://secunia.com/advisories/60397
5	http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php	Vendor Advisory
6	http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php	Vendor Advisory
7	https://github.com/phpmyadmin/phpmyadmin/commit/2c45d7caa614afd71dbe3d0f7270f51ce5569614	Exploit Patch
8	https://github.com/phpmyadmin/phpmyadmin/commit/2c45d7caa614afd71dbe3d0f7270f51ce5569614	Exploit Patch
9	https://github.com/phpmyadmin/phpmyadmin/commit/3ffc967fb60cf2910cc2f571017e977558c67821	Exploit Patch
10	https://github.com/phpmyadmin/phpmyadmin/commit/3ffc967fb60cf2910cc2f571017e977558c67821	Exploit Patch
11	https://github.com/phpmyadmin/phpmyadmin/commit/647c9d12e33a6b64e1c3ff7487f72696bdf2dccb	Exploit Patch
12	https://github.com/phpmyadmin/phpmyadmin/commit/647c9d12e33a6b64e1c3ff7487f72696bdf2dccb	Exploit Patch
13	https://github.com/phpmyadmin/phpmyadmin/commit/90ddeecf60fc029608b972e490b735f3a65ed0cb	Exploit Patch
14	https://github.com/phpmyadmin/phpmyadmin/commit/90ddeecf60fc029608b972e490b735f3a65ed0cb	Exploit Patch
15	https://github.com/phpmyadmin/phpmyadmin/commit/cd9f302bf7f91a160fe7080f9a612019ef847f1c	Exploit Patch
16	https://github.com/phpmyadmin/phpmyadmin/commit/cd9f302bf7f91a160fe7080f9a612019ef847f1c	Exploit Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

phpMyAdmin におけるクロスサイトスクリプティングの脆弱性

Title	phpMyAdmin におけるクロスサイトスクリプティングの脆弱性
Summary	phpMyAdmin には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、以下の項目を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (1) js/sql.js に関連するブラウザのテーブル画面 (browse table page) (2) js/functions.js に関連する ENUM 編集画面 (ENUM editor page) (3) js/server_status_monitor.js に関連するモニタ画面 (monitor page) (4) js/tbl_chart.js に関連するクエリチャート画面 (query charts page) (5) libraries/tbl_relation.lib.php に関連するテーブル連携画面 (table relations page)
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 17, 2014, midnight
Registration Date	Aug. 25, 2014, 2:54 p.m.
Last Update	Aug. 25, 2014, 2:54 p.m.

Affected System

The phpMyAdmin Project

phpMyAdmin 4.0.10.2 未満の 4.0.x

phpMyAdmin 4.1.14.3 未満の 4.1.x

phpMyAdmin 4.2.7.1 未満の 4.2.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-5273	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5273
National Vulnerability Database (NVD)
2	CVE-2014-5273	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5273

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	bug #4501 [security] XSS in table browse page	https://github.com/phpmyadmin/phpmyadmin/commit/647c9d12e33a6b64e1c3ff7487f72696bdf2dccb
2	bug #4502 [security] Self-XSS in enum value editor	https://github.com/phpmyadmin/phpmyadmin/commit/2c45d7caa614afd71dbe3d0f7270f51ce5569614
3	bug #4503 [security] Self-XSSes in monitor	https://github.com/phpmyadmin/phpmyadmin/commit/cd9f302bf7f91a160fe7080f9a612019ef847f1c
4	bug #4504 [security] Self-XSS in query charts	https://github.com/phpmyadmin/phpmyadmin/commit/90ddeecf60fc029608b972e490b735f3a65ed0cb
5	bug #4517 [security] XSS in relation view	https://github.com/phpmyadmin/phpmyadmin/commit/3ffc967fb60cf2910cc2f571017e977558c67821
SECURITY ANNOUNCEMENTS
6	PMASA-2014-8	http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php

Change Log

No	Changed Details	Date of change
0	[2014年08月25日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3::::::

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.5:::::::*