XSS in table Print view.

PMASA-2011-9 Announcement-ID: PMASA-2011-9 Date: 2011-07-23 Summary XSS in table Print view. Description The attacker must trick the victim into clicking a link that reaches phpMyAdmin's table print view script; one of the link's parameters is a crafted table name the name containing Javascript...

URL redirection to untrusted site.

PMASA-2011-4 Announcement-ID: PMASA-2011-4 Date: 2011-05-22 Summary URL redirection to untrusted site. Description It was possible to redirect to an arbitrary, untrusted site, leading to a possible phishing attack. Severity We consider this vulnerability to be serious. Affected Versions The 3.4.0...

XSS attack in database search.

PMASA-2010-8 Announcement-ID: PMASA-2010-8 Date: 2010-11-29 Summary XSS attack in database search. Description It was possible to conduct a XSS attack using spoofed request on the db search script. Severity We consider this vulnerability to be non critical. Affected Versions For 3.x: versions...

Unsafe handling of temporary files

PMASA-2010-2 Announcement-ID: PMASA-2010-2 Date: 2010-01-15 Summary Unsafe handling of temporary files Description phpMyAdmin created temporary files with predictable file name. Severity We consider these vulnerabilities to be not critical. Affected Versions For 2.11.x: versions before 2.11.10 ar...

A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks and / or perform remote file inclusion.

PMASA-2005-1 Announcement-ID: PMASA-2005-1 Date: 2005-02-25 Summary A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting XSS attacks and / or perform remote file inclusion. Description We received two bug reports by Maksymilian...

Arbitrary file read vulnerability

PMASA-2019-1 Announcement-ID: PMASA-2019-1 Date: 2019-01-21 Summary Arbitrary file read vulnerability Description When AllowArbitraryServer configuration set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. phpMyadmi...

Remote code execution vulnerability when PHP is running with dbase extension

PMASA-2016-56 Announcement-ID: PMASA-2016-56 Date: 2016-07-25 Summary Remote code execution vulnerability when PHP is running with dbase extension Description A vulnerability was discovered where phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations...

Denial of service (DOS) attack by changing password to a very long string

PMASA-2016-53 Announcement-ID: PMASA-2016-53 Date: 2016-07-25 Summary Denial of service DOS attack by changing password to a very long string Description An authenticated user can trigger a denial-of-service DOS attack by entering a very long password at the change password dialog. Severity We...

Multiple XSS vulnerabilities.

PMASA-2016-3 Announcement-ID: PMASA-2016-3 Date: 2016-01-24 Summary Multiple XSS vulnerabilities. Description With a crafted table name it is possible to trigger an XSS attack in the database search page. With a crafted SET value or a crafted search query, it is possible to trigger an XSS attacks...

XSS vulnerabilities in SQL debug output and server monitor page.

PMASA-2014-12 Announcement-ID: PMASA-2014-12 Date: 2014-10-21 Summary XSS vulnerabilities in SQL debug output and server monitor page. Description With a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and...

Access for an unprivileged user to MySQL user list.

PMASA-2014-7 Announcement-ID: PMASA-2014-7 Date: 2014-07-17 Summary Access for an unprivileged user to MySQL user list. Description An unpriviledged user could view the MySQL user list and manipulate the tabs displayed in phpMyAdmin for them. Severity We consider this vulnerability to be non...

Insufficient output sanitizing when generating configuration file.

PMASA-2009-4 Announcement-ID: PMASA-2009-4 Date: 2009-04-14 Summary Insufficient output sanitizing when generating configuration file. Description Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file...

HTTP Response Splitting vulnerability

PMASA-2007-1 Announcement-ID: PMASA-2007-1 Date: 2007-01-16 Summary HTTP Response Splitting vulnerability Description On systems running PHP 5 before 5.1.2 or PHP 4 before 4.4.2, it is possible to trigger this vulnerability by editing the cookie containing PHP's session id. This can be used to se...

Unsafe generation of blowfish secret

PMASA-2016-58 Announcement-ID: PMASA-2016-58 Date: 2016-11-25 Updated: 2016-12-06 Summary Unsafe generation of blowfish secret Description When the user does not specify a blowfishsecret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way th...

Detect if user is logged in

PMASA-2016-48 Announcement-ID: PMASA-2016-48 Date: 2016-07-24 Summary Detect if user is logged in Description A vulnerability was reported where an attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerabilit...

Local file exposure

PMASA-2016-35 Announcement-ID: PMASA-2016-35 Date: 2016-07-12 Summary Local file exposure Description A vulnerability was discovered where a user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. Severity We consider this vulnerability to be...

Global variable scope injection.

PMASA-2013-7 Announcement-ID: PMASA-2013-7 Date: 2013-06-30 Updated: 2013-07-01 Summary Global variable scope injection. Description The import.php script was vulnerable to GLOBALS variable injection. Therefore, an attacker could manipulate any configuration parameter. Severity We consider this...

SQL query could be executed under another user.

PMASA-2011-2 Announcement-ID: PMASA-2011-2 Date: 2011-02-11 Summary SQL query could be executed under another user. Description It was possible to create a bookmark which would be executed unintentionally by other users. Severity We consider this vulnerability to be critical. Mitigation factor To...

Multiple XSS vulnerability were found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks.

PMASA-2004-3 Announcement-ID: PMASA-2004-3 Date: 2004-11-18 Summary Multiple XSS vulnerability were found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting XSS attacks. Description We received a security advisory from Cedric Cochin netvigilance.com about those...

File Traversal Protection Bypass on Error Reporting

PMASA-2016-15 Announcement-ID: PMASA-2016-15 Date: 2016-05-25 Updated: 2016-05-26 Summary File Traversal Protection Bypass on Error Reporting Description A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the...

Self XSS in central columns feature

PMASA-2018-1 Announcement-ID: PMASA-2018-1 Date: 2018-02-20 Summary Self XSS in central columns feature Description A self-cross site scripting XSS vulnerability has been reported relating to the central columns feature. Severity We consider this vulnerability to be of moderate severity. Mitigati...

Path disclosure when some files have been removed.

PMASA-2011-1 Announcement-ID: PMASA-2011-1 Date: 2011-02-08 Summary Path disclosure when some files have been removed. Description When the files README, ChangeLog or LICENSE have been removed from their original place possibly by the distributor, the scripts used to display these files can show...

Unsafe handling of temporary directory

PMASA-2010-1 Announcement-ID: PMASA-2010-1 Date: 2010-01-15 Summary Unsafe handling of temporary directory Description phpMyAdmin used to automatically create temporary world writable directory what could lead to possible misuse of it. Severity We consider these vulnerabilities to be not critical...

XSS vulnerabilities

PMASA-2006-2 Announcement-ID: PMASA-2006-2 Date: 2006-05-12 Summary XSS vulnerabilities Description 1. It was possible to conduct an XSS attack with a crafted lang or theme parameter. 2. The db parameter was also vulnerable to an XSS attack. Severity We consider these vulnerabilities to be...

XSS vulnerability

PMASA-2009-5 Announcement-ID: PMASA-2009-5 Date: 2009-06-30 Summary XSS vulnerability Description It was possible to conduct an XSS attack via a crafted SQL bookmark. Severity We consider this vulnerability to be serious. Affected Versions For 2.11.x: versions are not affected. For 3.x: All 3.x...

Multiple XSS.

PMASA-2011-14 Announcement-ID: PMASA-2011-14 Date: 2011-09-14 Summary Multiple XSS. Description Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities...

XSS on Insert page

PMASA-2025-2 Announcement-ID: PMASA-2025-2 Date: 2025-01-20 Updated: 2025-01-23 Summary XSS on Insert page Description An XSS vulnerability has been discovered with the phpMyAdmin "Insert" tab. Severity We consider this vulnerability to be of moderate severity. Affected Versions phpMyAdmin versio...

(1) Local file inclusion vulnerability and (2) Cross-Site Scripting vulnerability

PMASA-2005-5 Announcement-ID: PMASA-2005-5 Date: 2005-10-22 Updated: 2005-10-25 Summary 1 Local file inclusion vulnerability and 2 Cross-Site Scripting vulnerability Description We received a security advisory from Stefan Esser [email protected] about 1. We received a security advisory from...