Vulnerability Details : CVE-2008-4456
Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.
Vulnerability category: Cross site scripting (XSS)
Threat overview for CVE-2008-4456
Top countries where our scanners detected CVE-2008-4456
Top open port discovered on systems with this issue
3306
IPs affected by CVE-2008-4456 1,788
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2008-4456!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2008-4456
Probability of exploitation activity in the next 30 days: 1.36%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2008-4456
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
2.6
|
LOW | AV:N/AC:H/Au:N/C:N/I:P/A:N |
4.9
|
2.9
|
NIST |
CWE ids for CVE-2008-4456
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-4456
-
Red Hat 2010-02-17Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-4456 This issue was addressed for Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1289.html and Red Hat Enterprise Linux 4 by https://rhn.redhat.com/errata/RHSA-2010-0110.html . The Red Hat Security Response Team has rated this issue as having low security impact, future MySQL package updates may address this flaw for Red Hat Enterprise Linux 3, and Red Hat Application Stack 2.
-
http://bugs.mysql.com/bug.php?id=27884
Exploit
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11456
- http://www.redhat.com/support/errata/RHSA-2010-0110.html
-
http://seclists.org/bugtraq/2008/Oct/0026.html
-
http://www.securityfocus.com/archive/1/496842/100/0/threaded
-
http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability
-
http://www.securityfocus.com/archive/1/497885/100/0/threaded
- http://ubuntu.com/usn/usn-897-1
- http://www.debian.org/security/2009/dsa-1783
-
http://support.apple.com/kb/HT4077
About the security content of Security Update 2010-002 / Mac OS X v10.6.3 - Apple Support
-
http://www.ubuntu.com/usn/USN-1397-1
USN-1397-1: MySQL vulnerabilities | Ubuntu security notices
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/45590
-
http://www.securityfocus.com/bid/31486
-
http://www.securityfocus.com/archive/1/497158/100/0/threaded
-
http://securityreason.com/securityalert/4357
-
http://www.securityfocus.com/archive/1/496877/100/0/threaded
- http://www.redhat.com/support/errata/RHSA-2009-1289.html
-
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Apple - Lists.apple.com
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:094
- cpe:2.3:a:oracle:mysql:5.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.45:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.30:sp1:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.38:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:5.0.67:*:*:*:*:*:*:*
- cpe:2.3:a:mysql:mysql:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mysql:mysql:5.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:mysql:mysql:5.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:mysql:mysql:5.0.44:*:*:*:*:*:*:*