CVE-2008-4456
published 2008-10-06CVE-2008-4456: Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45…
PriorityP418low2.6CVSS 2.0
AVNACHAuNCNIPAN
EXPLOIT
EPSS
7.05%
93.4th percentile
Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vendor_ubuntu4.6MEDIUM
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2012-03-12
CVE-2007-5925 MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: Several security issues were fixed in MySQL.
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.1.61 in Ubuntu 10.04 LTS, Ubuntu 10.10,
Ubuntu 11.04 and Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to
MySQL 5.0.95.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2010-02-10·CVSS 4.6
CVE-2008-7247 [MEDIUM] MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: MySQL vulnerabilities
It was discovered that MySQL could be made to overwrite existing table
files in the data directory. An authenticated user could use the DATA
DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks.
This update alters table creation behaviour by disallowing the use of the
MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This
issue only affected Ubuntu 8.10. (CVE-2008-4098)
It was discovered that MySQL contained a cross-site scripting vulnerability
in the command-line client when the --html option is enabled. An attacker
could place arbitrary web script or html in a database cell, which would
then get placed in the html document output by the command-line tool. This
issue only affected Ubuntu
Red Hat
mysql: mysql command line client XSS flaw
vendor_redhat·2008-09-30·CVSS 2.6
CVE-2008-4456 [LOW] CWE-79 mysql: mysql command line client XSS flaw
mysql: mysql command line client XSS flaw
Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.
GHSA
GHSA-wwgr-xr73-wm3j: Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5
ghsa_unreviewed·2022-05-02
CVE-2008-4456 [LOW] CWE-79 GHSA-wwgr-xr73-wm3j: Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5
Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.
No detection rules found.
http://bugs.mysql.com/bug.php?id=27884http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://seclists.org/bugtraq/2008/Oct/0026.htmlhttp://secunia.com/advisories/32072http://secunia.com/advisories/34907http://secunia.com/advisories/36566http://secunia.com/advisories/38517http://securityreason.com/securityalert/4357http://support.apple.com/kb/HT4077http://ubuntu.com/usn/usn-897-1http://www.debian.org/security/2009/dsa-1783http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerabilityhttp://www.mandriva.com/security/advisories?name=MDVSA-2009:094http://www.redhat.com/support/errata/RHSA-2009-1289.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0110.htmlhttp://www.securityfocus.com/archive/1/496842/100/0/threadedhttp://www.securityfocus.com/archive/1/496877/100/0/threadedhttp://www.securityfocus.com/archive/1/497158/100/0/threadedhttp://www.securityfocus.com/archive/1/497885/100/0/threadedhttp://www.securityfocus.com/bid/31486http://www.ubuntu.com/usn/USN-1397-1https://exchange.xforce.ibmcloud.com/vulnerabilities/45590https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11456http://bugs.mysql.com/bug.php?id=27884http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://seclists.org/bugtraq/2008/Oct/0026.htmlhttp://secunia.com/advisories/32072http://secunia.com/advisories/34907http://secunia.com/advisories/36566http://secunia.com/advisories/38517http://securityreason.com/securityalert/4357http://support.apple.com/kb/HT4077http://ubuntu.com/usn/usn-897-1http://www.debian.org/security/2009/dsa-1783http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerabilityhttp://www.mandriva.com/security/advisories?name=MDVSA-2009:094http://www.redhat.com/support/errata/RHSA-2009-1289.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0110.htmlhttp://www.securityfocus.com/archive/1/496842/100/0/threadedhttp://www.securityfocus.com/archive/1/496877/100/0/threadedhttp://www.securityfocus.com/archive/1/497158/100/0/threadedhttp://www.securityfocus.com/archive/1/497885/100/0/threadedhttp://www.securityfocus.com/bid/31486http://www.ubuntu.com/usn/USN-1397-1https://exchange.xforce.ibmcloud.com/vulnerabilities/45590https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11456
2008-10-06
Published