CVE-2008-4456 Information

Description

Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45 and other versions including versions later than 5.0.45 when the –html option is enabled allows attackers to inject arbitrary web script or HTML by placing it in a database cell which might be accessed by this client when composing an HTML document. NOTE: as of 20081031 the issue has not been fixed in MySQL 5.0.67.

Reference

http://bugs.mysql.com/bug.php?id=27884 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html http://seclists.org/bugtraq/2008/Oct/0026.html http://secunia.com/advisories/32072 http://secunia.com/advisories/34907 http://secunia.com/advisories/36566 http://secunia.com/advisories/38517 http://securityreason.com/securityalert/4357 http://support.apple.com/kb/HT4077 http://ubuntu.com/usn/usn-897-1 http://www.debian.org/security/2009/dsa-1783 http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability http://www.mandriva.com/security/advisories?name=MDVSA-2009:094 http://www.redhat.com/support/errata/RHSA-2009-1289.html http://www.redhat.com/support/errata/RHSA-2010-0110.html http://www.securityfocus.com/archive/1/496842/100/0/threaded http://www.securityfocus.com/archive/1/496877/100/0/threaded http://www.securityfocus.com/archive/1/497158/100/0/threaded http://www.securityfocus.com/archive/1/497885/100/0/threaded http://www.securityfocus.com/bid/31486 http://www.ubuntu.com/usn/USN-1397-1 https://exchange.xforce.ibmcloud.com/vulnerabilities/45590 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A11456