In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive $cfg['enable_drag_drop_import']
, users will be unable to use the drag and drop upload which would protect against the vulnerability.
CPE | Name | Operator | Version |
---|---|---|---|
phpmyadmin/phpmyadmin | lt | 5.2.1 | |
phpmyadmin/phpmyadmin | lt | 4.9.11 |