Allele Security Alert
ASA-2018-00073
Identifier(s)
ASA-2018-00073, CVE-2018-19970, PMASA-2018-8
Title
Missing input validation in navigation tree
Vendor(s)
The phpMyAdmin Project
Product(s)
phpMyAdmin
Affected version(s)
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected
Fixed version(s)
phpMyAdmin 4.8.4
Proof of concept
Unknown
Description
A missing input validation vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name. This can lead to cross-site scripting attacks.
Technical details
Unknown
Credits
YU-HSIANG HUANG , YUNG-HAO TSENG, and Eddie TC CHANG
Reference(s)
Security fix: phpMyAdmin 4.8.4 is released
https://www.phpmyadmin.net/news/2018/12/11/security-fix-phpmyadmin-484-released/
phpMyAdmin – Security – PMASA-2018-8
https://www.phpmyadmin.net/security/PMASA-2018-8/
Fix phpmyadmin/phpmyadmin-security#260 Stored Cross-Site Scripting (XSS) in navigation tree
https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e
CVE-2018-19970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19970
CVE-2018-19970
https://nvd.nist.gov/vuln/detail/CVE-2018-19970
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 11, 2019