[arch-security] [ASA-201510-23] phpmyadmin: content spoofing

Levente Polyak anthraxx at archlinux.org
Fri Oct 30 01:49:12 UTC 2015


Arch Linux Security Advisory ASA-201510-23
==========================================

Severity: Low
Date    : 2015-10-30
CVE-ID  : CVE-2015-7873
Package : phpmyadmin
Type    : content spoofing
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package phpmyadmin before version 4.5.1-1 is vulnerable to content
spoofing.

Resolution
==========

Upgrade to 4.5.1-1.

# pacman -Syu "phpmyadmin>=4.5.1-1"

The problem has been fixed upstream in version 4.5.1.

Workaround
==========

None.

Description
===========

This vulnerability allows an attacker to perform a content spoofing
attack using the phpMyAdmin's redirection mechanism to external sites.
This vulnerability is not considered to be critical since the spoofed
content is escaped and no HTML injection is possible.

Impact
======

A remote attacker is able do perform content spoofing using the
redirection mechanism to external sites.

References
==========

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7873
https://www.phpmyadmin.net/security/PMASA-2015-5/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151030/72bb9b2f/attachment.asc>


More information about the arch-security mailing list