GHSA-2v82-5746-vwqc

Suggest an improvement
Source
https://github.com/advisories/GHSA-2v82-5746-vwqc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-2v82-5746-vwqc/GHSA-2v82-5746-vwqc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2v82-5746-vwqc
Aliases
Published
2022-03-18T17:49:28Z
Modified
2024-02-17T05:35:50.388655Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
XSS in doc_link
Details

Impact

Users of MySQL, MariaDB, PgSQL and SQLite are affected. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a pdo_ extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected.

Patches

Patched by 4043092, included in version 4.8.1.

Workarounds

Do both: * Use browser supporting strict CSP. * Enable the native PHP extensions (e.g. mysqli) or disable displaying PHP errors (display_errors).

References

https://sourceforge.net/p/adminer/bugs-and-features/797/

For more information

If you have any questions or comments about this advisory: * Comment at 4043092.

Database specific
{
    "nvd_published_at": "2021-05-19T22:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T19:18:12Z"
}
References

Affected packages

Packagist / vrana/adminer

Package

Name
vrana/adminer
Purl
pkg:composer/vrana/adminer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.7.8
Fixed
4.8.1

Affected versions

v4.*

v4.7.8
v4.7.9
v4.8.0