CVE-2012-5368 — Cross-site Scripting in Phpmyadmin

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 37.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmyadmin Debian Phpmyadmin

Timeline

PublishedOct 25

Latest updateMay 17

Description

phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Packagistphpmyadmin/phpmyadmin3.5 — 3.5.3

▶debiandebian/phpmyadmin

▶NVDphpmyadmin/phpmyadmin5 versions+4

Patches

Patch: www.phpmyadmin.net ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

phpMyAdmin Unsafe Fetching of Javascript Code↗2022-05-17

▶

OSV

phpMyAdmin Unsafe Fetching of Javascript Code↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2012-5368: phpmyadmin - phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an H...↗2012

▶

💬Community

Bugzilla

CVE-2012-5368 phpMyAdmin: Obtaining current phpMyAdmin version from non SSL site is prone to MITM attack (PMASA-2012-7)↗2012-10-25

▶