Announcement-ID: PMASA-2018-8
Date: 2018-12-07
XSS vulnerability in navigation tree
A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name.
We consider this attack to be of moderate severity.
The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms.
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.
Thanks to YU-HSIANG HUANG (huang.yuhsiang.phone@gmail.com), YUNG-HAO TSENG, and Eddie TC CHANG for reporting this vulnerability.
Assigned CVE ids: CVE-2018-19970
The following commits have been made on the 4.8 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.