found 988886 4.7.1-1 thanks Hi,
Thanks for bringing this to my attention. > I'm slightly confused about the available information about the > affected version. From the code it looks to me that 4.7.1 as in stable > would be affected as well, but upstream is claiming 4.7.8 is affected > to 4.8.0. Though as well the Impact message mentions version back to > 4.6.1. I could reproduce with both 4.7.1 et 4.7.9 and Internet Explorer as a browser. I could not reproduce with 4.8.1 which fixes this. The test URL : http://host/adminer-4.7.1.php?server=localhost&username=root&db=mysql&table=event%27%3E%3Csvg/onload=alert(document.cookie)%3E > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. I'm a bit confused as to where and when to fix this. My understanding is the following buster : I assume from your message that this does not warrant a DSA. Then I'll update https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960396 bullseye : this bug is not RC, so no update. unstable : will fix after the release by uploading 4.8.1 or later. Thanks for your advice if my understanding is wrong, regards, Alex
