FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpMyAdmin -- XSS due to unescaped HTML output in GIS visualisation page

Affected packages
3.5 <= phpMyAdmin < 3.5.8

Details

VuXML ID 7280c3f6-a99a-11e2-8cef-6805ca0b3d42
Discovery 2013-04-18
Entry 2013-04-20

The phpMyAdmin development team reports:

When modifying a URL parameter with a crafted value it is possible to trigger an XSS.

These XSS can only be triggered when a valid database is known and when a valid cookie token is used.

References

CVE Name CVE-2013-1937
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.php