Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwZ3gtZ2NwaC1tcHFy

vrana/adminer via XSS in the history parameter in SQL command

Impact

Users of Adminer versions supporting SQL command (most versions, e.g. MySQL) using browsers not encoding URL parameters before sending to server (likely Edge, not Chrome, not Firefox) are affected.

Patches

Patched by 5c395afc, included in version 4.7.9.

Workarounds

Use browser which encodes URL parameters (e.g. Chrome or Firefox).

References

https://sourceforge.net/p/adminer/bugs-and-features/775/

For more information

If you have any questions or comments about this advisory:

Comment at https://sourceforge.net/p/adminer/bugs-and-features/775/

Permalink: https://github.com/advisories/GHSA-9pgx-gcph-mpqr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwZ3gtZ2NwaC1tcHFy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago

CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00135
EPSS Percentile: 0.49543

Identifiers: GHSA-9pgx-gcph-mpqr, CVE-2020-35572
References:

Repository: https://github.com/vrana/adminer
Blast Radius: 12.0

Affected Packages

packagist:vrana/adminer

Dependent packages: 14
Dependent repositories: 94
Downloads: 2,664,515 total
Affected Version Ranges: < 4.7.9
Fixed in: 4.7.9
All affected versions: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8
All unaffected versions: 4.7.9, 4.8.0, 4.8.1