Subject: [ASA-201802-11] phpmyadmin: cross-site scripting Arch Linux Security Advisory ASA-201802-11 ========================================== Severity: Medium Date : 2018-02-23 CVE-ID : CVE-2018-7260 Package : phpmyadmin Type : cross-site scripting Remote : Yes Link : https://security.archlinux.org/AVG-630 Summary ======= The package phpmyadmin before version 4.7.8-1 is vulnerable to cross- site scripting. Resolution ========== Upgrade to 4.7.8-1. # pacman -Syu "phpmyadmin>=4.7.8-1" The problem has been fixed upstream in version 4.7.8. Workaround ========== None. Description =========== Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. Impact ====== A remote authenticated attacker is able to inject arbitrary javascript via a crafted URL. References ========== https://udiniya.wordpress.com/2018/02/21/a-tale-of-stealing-session-cookie-in-phpmyadmin/ https://www.phpmyadmin.net/security/PMASA-2018-1/ https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3e8745e8845633ae8a0054b5ee4d8babd5 https://security.archlinux.org/CVE-2018-7260