Cross-Site Scripting Vulnerability in phpMyBackupPro

Posted date 27/05/2024
Importance
4 - High
Affected Resources
  • PhpMyBackupPro, 2.3 version.
Description

INCIBE has coordinated the publication of 3 high severity vulnerabilities affecting phpMyBackupPro, version 2.3, a PHP MySQL backup web application, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-5413 to CVE-2024-5415: 7.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | CWE-79
Solution

There is no reported solution at this time. 

Detail

3 vulnerabilities have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS. These vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details. The assigned CVE list is as follows:

  • CVE-2024-5413: /phpmybackuppro/scheduled.php, all parameters.
  • CVE-2024-5414: /phpmybackuppro/get_file.php, 'view' parameter.
  • CVE-2024-5415: /phpmybackuppro/backup.php, 'comments' and 'db' parameters.
References list