Security update for phpMyAdmin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1806-1 Final 1 1 2018-06-23T07:16:28Z current 2018-06-23T07:16:28Z 2018-06-23T07:16:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for phpMyAdmin This update for phpMyAdmin fixes multiple issues. Security issues fixed: * CVE-2018-12613: File inclusion and remote code execution attack (boo#1098751) * CVE-2018-12581: XSS in Designer feature (boo#1098752) This update to version 4.8.2 also contains number of upstream bug fixes and improvements. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00044.html E-Mail link for openSUSE-SU-2018:1806-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub for SUSE Linux Enterprise 12 phpMyAdmin-4.8.2-23.1 phpMyAdmin-4.8.2-23.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 12 An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature. CVE-2018-12581 SUSE Package Hub for SUSE Linux Enterprise 12:phpMyAdmin-4.8.2-23.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00044.html https://www.suse.com/security/cve/CVE-2018-12581.html CVE-2018-12581 https://bugzilla.suse.com/1098752 SUSE Bug 1098752 An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication). CVE-2018-12613 SUSE Package Hub for SUSE Linux Enterprise 12:phpMyAdmin-4.8.2-23.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00044.html https://www.suse.com/security/cve/CVE-2018-12613.html CVE-2018-12613 https://bugzilla.suse.com/1098735 SUSE Bug 1098735 https://bugzilla.suse.com/1098744 SUSE Bug 1098744 https://bugzilla.suse.com/1098751 SUSE Bug 1098751