CVE-2020-35572 – vrana/adminer

Package

Manager: composer
Name: vrana/adminer
Vulnerable Version: >=0 <4.7.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.1321 pctl0.93888

Details

vrana/adminer via XSS in the history parameter in SQL command ### Impact Users of Adminer versions supporting SQL command (most versions, e.g. MySQL) using browsers not encoding URL parameters before sending to server (likely Edge, not Chrome, not Firefox) are affected. ### Patches Patched by 5c395afc, included in version [4.7.9](https://github.com/vrana/adminer/releases/tag/v4.7.9). ### Workarounds Use browser which encodes URL parameters (e.g. Chrome or Firefox). ### References https://sourceforge.net/p/adminer/bugs-and-features/775/ ### For more information If you have any questions or comments about this advisory: * Comment at https://sourceforge.net/p/adminer/bugs-and-features/775/

Metadata

Created: 2021-02-11T20:42:28Z
Modified: 2023-09-21T19:59:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-9pgx-gcph-mpqr/GHSA-9pgx-gcph-mpqr.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-9pgx-gcph-mpqr
Finding: F008
Auto approve: 1