Debian Local Security Checks : Debian: Security Advisory (DSA-2975-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.702975

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DSA-2975-1)

Summary: The remote host is missing an update for the Debian 'phpmyadmin' package(s) announced via the DSA-2975-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'phpmyadmin' package(s) announced via the DSA-2975-1 advisory.

Vulnerability Insight:
Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2013-4995

Authenticated users could inject arbitrary web script or HTML via a crafted SQL query.

CVE-2013-4996

Cross site scripting was possible via a crafted logo URL in the navigation panel or a crafted entry in the Trusted Proxies list.

CVE-2013-5002

Authenticated users could inject arbitrary web script or HTML via a crafted pageNumber value in Schema Export.

CVE-2013-5003

Authenticated users could execute arbitrary SQL commands as the phpMyAdmin control user via the scale parameter PMD PDF export and the pdf_page_number parameter in Schema Export.

CVE-2014-1879

Authenticated users could inject arbitrary web script or HTML via a crafted file name in the Import function.

For the stable distribution (wheezy), these problems have been fixed in version 4:3.4.11.1-2+deb7u1.

For the unstable distribution (sid), these problems have been fixed in version 4:4.2.5-1.

We recommend that you upgrade your phpmyadmin packages.

Affected Software/OS:
'phpmyadmin' package(s) on Debian 7.

Solution:
Please install the updated package(s).

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-4995
BugTraq ID: 61510
http://www.securityfocus.com/bid/61510
http://secunia.com/advisories/59832
Common Vulnerability Exposure (CVE) ID: CVE-2013-4996
BugTraq ID: 61921
http://www.securityfocus.com/bid/61921
Common Vulnerability Exposure (CVE) ID: CVE-2013-5002
BugTraq ID: 61516
http://www.securityfocus.com/bid/61516
Common Vulnerability Exposure (CVE) ID: CVE-2013-5003
BugTraq ID: 61923
http://www.securityfocus.com/bid/61923
Common Vulnerability Exposure (CVE) ID: CVE-2014-1879
BugTraq ID: 65717
http://www.securityfocus.com/bid/65717
SuSE Security Announcement: openSUSE-SU-2014:0344 (Google Search)
http://lists.opensuse.org/opensuse-updates/2014-03/msg00017.html

Copyright Copyright (C) 2014 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.702975
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-2975-1)
Summary:	The remote host is missing an update for the Debian 'phpmyadmin' package(s) announced via the DSA-2975-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'phpmyadmin' package(s) announced via the DSA-2975-1 advisory. Vulnerability Insight: Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-4995 Authenticated users could inject arbitrary web script or HTML via a crafted SQL query. CVE-2013-4996 Cross site scripting was possible via a crafted logo URL in the navigation panel or a crafted entry in the Trusted Proxies list. CVE-2013-5002 Authenticated users could inject arbitrary web script or HTML via a crafted pageNumber value in Schema Export. CVE-2013-5003 Authenticated users could execute arbitrary SQL commands as the phpMyAdmin control user via the scale parameter PMD PDF export and the pdf_page_number parameter in Schema Export. CVE-2014-1879 Authenticated users could inject arbitrary web script or HTML via a crafted file name in the Import function. For the stable distribution (wheezy), these problems have been fixed in version 4:3.4.11.1-2+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 4:4.2.5-1. We recommend that you upgrade your phpmyadmin packages. Affected Software/OS: 'phpmyadmin' package(s) on Debian 7. Solution: Please install the updated package(s). CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2013-4995 BugTraq ID: 61510 http://www.securityfocus.com/bid/61510 http://secunia.com/advisories/59832 Common Vulnerability Exposure (CVE) ID: CVE-2013-4996 BugTraq ID: 61921 http://www.securityfocus.com/bid/61921 Common Vulnerability Exposure (CVE) ID: CVE-2013-5002 BugTraq ID: 61516 http://www.securityfocus.com/bid/61516 Common Vulnerability Exposure (CVE) ID: CVE-2013-5003 BugTraq ID: 61923 http://www.securityfocus.com/bid/61923 Common Vulnerability Exposure (CVE) ID: CVE-2014-1879 BugTraq ID: 65717 http://www.securityfocus.com/bid/65717 SuSE Security Announcement: openSUSE-SU-2014:0344 (Google Search) http://lists.opensuse.org/opensuse-updates/2014-03/msg00017.html
Copyright	Copyright (C) 2014 Greenbone AG