CVE-2014-5274

Description

Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js.

How to fix CVE-2014-5274

To remediate CVE-2014-5274, upgrade the affected package to a fixed version below.

• Debian/phpmyadmin—upgrade to 4:4.2.7.1-1 or later
• Packagist/phpmyadmin/phpmyadmin—upgrade to 4.1.14.3 or later

Is CVE-2014-5274 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4:4.2.7.1-1
• >= 4.1.0, < 4.1.14.3

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-5274
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-5274
• WEBlists.opensuse.org/opensuse-updates/2014-08/msg00045.html
• WEBgithub.com/phpmyadmin/phpmyadmin/commit/0cd293f5e13aa245e4a57b8d373597cc0e421b6f