PublicDateAtUSN: 2018-02-21 15:29:00 UTC
Candidate: CVE-2018-7260
PublicDate: 2018-02-21 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7260
 https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3
 https://www.phpmyadmin.net/security/PMASA-2018-1/
 https://udiniya.wordpress.com/2018/02/21/a-tale-of-stealing-session-cookie-in-phpmyadmin/
 https://ubuntu.com/security/notices/USN-4639-1
Description:
 Cross-site scripting (XSS) vulnerability in db_central_columns.php in
 phpMyAdmin before 4.7.8 allows remote authenticated users to inject
 arbitrary web script or HTML via a crafted URL.
Ubuntu-Description:
 It was discovered that phpMyAdmin mishandled certain input. An attacker could
 use this vulnerability to execute a cross-site scripting (XSS) attack via
 a crafted URL.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: mikesalvatore
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N [5.4 MEDIUM]


Patches_phpmyadmin:
upstream_phpmyadmin: released (4.7.8, 4:4.9.1+dfsg1-2)
precise/esm_phpmyadmin: DNE
trusty_phpmyadmin: not-affected (code not present)
trusty/esm_phpmyadmin: not-affected (code not present)
xenial_phpmyadmin: ignored (end of standard support, was needed)
artful_phpmyadmin: ignored (reached end-of-life)
bionic_phpmyadmin: released (4:4.6.6-5ubuntu0.5)
cosmic_phpmyadmin: ignored (reached end-of-life)
disco_phpmyadmin: ignored (reached end-of-life)
eoan_phpmyadmin: DNE
focal_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
groovy_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
hirsute_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
impish_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
jammy_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
devel_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)