CVE-2014-6300

Description

Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js.

How to fix CVE-2014-6300

To remediate CVE-2014-6300, upgrade the affected package to a fixed version below.

• Debian/phpmyadmin—upgrade to 4:4.2.8.1-1 or later
• —upgrade to 4.0.10.3 or later

Is CVE-2014-6300 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4:4.2.8.1-1
• >= 4.0.0, < 4.0.10.3

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-6300
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-6300
• WEBlists.opensuse.org/opensuse-updates/2014-09/msg00032.html
• WEBgithub.com/phpmyadmin/phpmyadmin/commit/33b39f9f1dd9a4d27856530e5ac004e23b30e8ac