CVE-2008-3457

Name	CVE-2008-3457
Description	Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. NOTE: this issue can only be exploited in limited scenarios in which the attacker must be able to modify config/config.inc.php.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
References	DSA-1641-1
NVD severity	low (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
phpmyadmin (PTS)	wheezy	4:3.4.11.1-2+deb7u2	fixed
	wheezy (security)	4:3.4.11.1-2+deb7u8	fixed
	jessie (security), jessie	4:4.2.12-2+deb8u2	fixed
	stretch	4:4.6.6-4	fixed
	buster, sid	4:4.6.6-5	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
phpmyadmin	source	(unstable)	4:2.11.8~rc1-1	low
phpmyadmin	source	etch	4:2.9.1.1-8	low	DSA-1641-1

if an attacker can write arbitrary content to config/config.php you have way more problems than this XSS