CVE-2021-29625 – vrana/adminer

Package

Manager: composer
Name: vrana/adminer
Vulnerable Version: >=4.7.8 <4.8.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.69247 pctl0.98589

Details

XSS in doc_link ### Impact Users of MySQL, MariaDB, PgSQL and SQLite are affected. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. ### Patches Patched by 4043092, included in version [4.8.1](https://github.com/vrana/adminer/releases/tag/v4.8.1). ### Workarounds Do both: * Use browser supporting strict CSP. * Enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`). ### References https://sourceforge.net/p/adminer/bugs-and-features/797/ ### For more information If you have any questions or comments about this advisory: * Comment at 4043092.

Metadata

Created: 2022-03-18T17:49:28Z
Modified: 2022-03-18T17:49:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-2v82-5746-vwqc/GHSA-2v82-5746-vwqc.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-2v82-5746-vwqc
Finding: F425
Auto approve: 1