Re: CVE Request -- phpPgAdmin -- Multiple XSS flaws fixed in v5.0.3

[Josh Bressers <bressers () redhat com>]

Please use CVE-2011-3598

Thanks.

-- 
    JB


----- Original Message -----
> Hello Josh, Steve, vendors,
>
>    multiple cross-site scripting (XSS) flaws were reported in
>    phpPgAdmin:
>
> 1) the 'title' argument of a particular web page was not sanitized
>     properly prior displaying the page header,
>
> 2) the return ULR ('return_url') and return link name ('return_desc')
>     were not sanitized properly prior displaying the requested page
>     data.
>
> A remote attacker could provide a specially-crafted URL, which once
> visited by an unsuspecting phpPgAdmin user could lead to arbitrary
> HTML
> or web script execution.
>
> References:
> [1] https://secunia.com/advisories/46248/
> [2] https://bugs.gentoo.org/show_bug.cgi?id=385505
> [3] http://phppgadmin.sourceforge.net/doku.php?id=download
> [4]
> http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%40free.fr&forum_name=phppgadmin-news
>
> [5] https://bugzilla.redhat.com/show_bug.cgi?id=743205
>
> Upstream patch:
> [6]
> https://github.com/phppgadmin/phppgadmin/commit/1df248203de055f97e092b50b1dd9643ccb73842
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team