Date: Wed, 12 Dec 2018 07:18:56 +0000 (UTC) From: Matthew Seaman <matthew@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r487281 - head/security/vuxml Message-ID: <201812120718.wBC7IudZ013242@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: matthew Date: Wed Dec 12 07:18:56 2018 New Revision: 487281 URL: https://svnweb.freebsd.org/changeset/ports/487281 Log: Document three more security advisories from phpMyAdmin Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Dec 12 06:27:50 2018 (r487280) +++ head/security/vuxml/vuln.xml Wed Dec 12 07:18:56 2018 (r487281) @@ -58,6 +58,76 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="ed10ed3f-fddc-11e8-94cf-6805ca0b3d42"> + <topic>phpMyAdmin -- multiple vulnerabilities</topic> + <affects> + <package> + <name>phpMyAdmin</name> + <name>phpMyAdmin-php56</name> + <name>phpMyAdmin-php70</name> + <name>phpMyAdmin-php71</name> + <name>phpMyAdmin-php72</name> + <range><lt>4.8.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The phpMyAdmin development team reports:</p> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-6/">; + <h3>Summary</h3> + <p>Local file inclusion through transformation feature</p> + <h3>Description</h3> + <p>A flaw has been found where an attacker can exploit + phpMyAdmin to leak the contents of a local file. The + attacker must have access to the phpMyAdmin Configuration + Storage tables, although these can easily be created in any + database to which the attacker has access. An attacker must + have valid credentials to log in to phpMyAdmin; this + vulnerability does not allow an attacker to circumvent the + login system.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be severe.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-7/">; + <h3>Summary</h3> + <p>XSRF/CSRF vulnerability in phpMyAdmin</p> + <h3>Description</h3> + <p>By deceiving a user to click on a crafted URL, it is + possible to perform harmful SQL operations such as renaming + databases, creating new tables/routines, deleting designer + pages, adding/deleting users, updating user passwords, + killing SQL processes, etc.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be of moderate severity.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-8/">; + <h3>Summary</h3> + <p>XSS vulnerability in navigation tree</p> + <h3>Description</h3> + <p>A Cross-Site Scripting vulnerability was found in the + navigation tree, where an attacker can deliver a payload to + a user through a specially-crafted database/table name.</p> + <h3>Severity</h3> + <p>We consider this attack to be of moderate severity.</p> + <h3>Mitigation factor</h3> + <p>The stored XSS vulnerabilities can be triggered only by + someone who logged in to phpMyAdmin, as the usual token + protection prevents non-logged-in users from accessing the + required forms.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.phpmyadmin.net/security/PMASA-2018-6/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2018-7/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2018-8/</url>; + </references> + <dates> + <discovery>2018-12-11</discovery> + <entry>2018-12-12</entry> + </dates> + </vuln> + <vuln vid="d10b49b2-8d02-49e8-afde-0844626317af"> <topic>mozilla -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812120718.wBC7IudZ013242>