Source: adminer Version: 4.7.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for adminer. CVE-2021-29625[0]: | Adminer is open-source database management software. A cross-site | scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects | users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases | prevented by strict CSP in all modern browsers. The only exception is | when Adminer is using a `pdo_` extension to communicate with the | database (it is used if the native extensions are not enabled). In | browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. | The vulnerability is patched in version 4.8.1. As workarounds, one can | use a browser supporting strict CSP or enable the native PHP | extensions (e.g. `mysqli`) or disable displaying PHP errors | (`display_errors`). I'm slightly confused about the available information about the affected version. From the code it looks to me that 4.7.1 as in stable would be affected as well, but upstream is claiming 4.7.8 is affected to 4.8.0. Though as well the Impact message mentions version back to 4.6.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29625 [1] https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc [2] https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
