phpmyadmin -- remote code inclusion and XSS scripting

The phpMyAdmin development team reports:

Summary
XSS in Designer feature
Description
A Cross-Site Scripting vulnerability was found in the
Designer feature, where an attacker can deliver a
payload to a user through a specially-crafted database
name.
Severity
We consider this attack to be of moderate severity.

Summary
File inclusion and remote code execution attack
Description
A flaw has been discovered where an attacker can include
(view and potentially execute) files on the server.
The vulnerability comes from a portion of code where
pages are redirected and loaded within phpMyAdmin, and an
improper test for whitelisted pages.
An attacker must be authenticated, except in these
situations:

$cfg[‘AllowArbitraryServer’] = true: attacker can
specify any host he/she is already in control of, and
execute arbitrary code on phpMyAdmin
$cfg[‘ServerDefault’] = 0: this bypasses the login and
runs the vulnerable code without any authentication

Severity
We consider this to be severe. Mitigation
factor Configuring PHP with a restrictive
open_basedir can greatly restrict an attacker’s ability to
view files on the server. Vulnerable systems should not be
run with the phpMyAdmin directives
$cfg[‘AllowArbitraryServer’] = true or $cfg[‘ServerDefault’]
= 0