XSS vulnerability in row_create
Bug #1964710 reported by
Nicholas Guriev
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
phpliteadmin (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned | ||
Impish |
Won't Fix
|
Medium
|
Unassigned | ||
Jammy |
Fix Released
|
Medium
|
Unassigned |
Bug Description
On 21 August 2021, it was publicly reported a little XSS vulnerability in the phpLiteAdmin script packaged in Ubuntu. The following versions of the phpliteadmin package are affected.
* 1.9.8.2-1 echoes GET parameter newRows to HTML with no properly
escaping nor conversion.
* 1.9.7.1-1ubuntu0.1 does similar with POST parameter num.
Upstream bug report: https:/
CVE References
description: | updated |
Changed in phpliteadmin (Ubuntu): | |
importance: | Undecided → Medium |
Changed in phpliteadmin (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in phpliteadmin (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in phpliteadmin (Ubuntu Impish): | |
importance: | Undecided → Medium |
Changed in phpliteadmin (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in phpliteadmin (Ubuntu Impish): | |
status: | New → Won't Fix |
To post a comment you must log in.
ACK on the debdiffs in comments #1 and #2. I did add the CVE number to the changelog though, to make it easier to track.
I've uploaded packages to the security team PPA here: /launchpad. net/~ubuntu- security- proposed/ +archive/ ubuntu/ ppa/+packages
https:/
Could you please give them a try and once they have been tested, we will publish them.
Thanks!