Bug 75707 (CVE-2005-0992)

Summary: VUL-0: CVE-2005-0992: XSS in phpMyAdmin
Product: [Novell Products] SUSE Security Incidents Reporter: Michal Čihař <mcihar>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0992: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Michal Čihař 2005-04-04 08:32:46 UTC 
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3:

phpMyAdmin security announcement PMASA-2005-3

Announcement-ID: PMASA-2005-3
Date: 2005-04-03

Summary:
Cross-Site Scripting vulnerability

Description:
We received a security advisory from Oriol Torrent Santiago and we wish to thank
him for his work and report. The convcharset parameter was not correctly
validated, opening the door to a XSS attack.

Severity:
We consider this vulnerability to be serious.

Affected versions:
Probably all phpMyAdmin versions before 2.6.2-rc1.

Solution:
Upgrade to phpMyAdmin 2.6.2-rc1 or newer.

References:
http://www.arrelnet.com/advisories/adv20050403.html
Comment 1 Michal Čihař 2005-04-04 08:34:02 UTC 
We don't have this enabled as default, so it's probably not that important.
Comment 3 Ludwig Nussel 2005-04-04 09:46:32 UTC 
SM-Tracker-808
Comment 4 Michal Čihař 2005-04-04 10:37:02 UTC 
Fixed packages submitted.
Comment 5 Ludwig Nussel 2005-04-08 10:30:58 UTC 
did you fix #67276 as well?
Comment 6 Ludwig Nussel 2005-04-11 09:30:46 UTC 
CAN-2005-0992 
patchinfo submitted
Comment 7 Marcus Meissner 2005-04-11 16:01:31 UTC 
updated packages approved, thanks
Comment 8 Thomas Biege 2009-10-13 21:15:44 UTC 
CVE-2005-0992: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)