#VU42654 Input validation error in Opensuse and phpMyAdmin
Vulnerability identifier: #VU42654
Vulnerability risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Opensuse
Operating systems & Components /
Operating system
phpMyAdmin
Web applications /
Remote management & hosting panels
Vendor:
SUSE
phpMyAdmin
Description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
phpMyAdmin 3.5.x and 4.0.x before 4.0.5 allows remote attackers to bypass the clickjacking protection mechanism via certain vectors related to Header.class.php.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Opensuse: 12.2 - 12.3
phpMyAdmin: 3.5.0.0 - 3.5.8.2, 4.0.0 - 4.0.4.2
External links
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00013.html
http://secunia.com/advisories/54488
http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php
http://github.com/phpmyadmin/phpmyadmin/commit/240b8332db53dedc27baeec5306dabad3bdece3b
http://github.com/phpmyadmin/phpmyadmin/commit/24d0eb55203b029f250c77d63f2900ffbe099e8b
http://github.com/phpmyadmin/phpmyadmin/commit/66fe475d4f51b1761719cb0cab360748800373f7
http://github.com/phpmyadmin/phpmyadmin/commit/da4042fb6c4365dc8187765c3bf525043687c66f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
