DescriptionMultiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before, 4.1.x before, and 4.2.x before allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow
Debian Bugs758536

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)stretch4:4.6.6-4fixed
bullseye, sid4:4.9.5+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsourcesqueeze(not affected)
phpmyadminsourcewheezy(not affected)


[wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
[squeeze] - phpmyadmin <not-affected> (vulnerable code not present)
Most of the affected Javascript files do not exist on version 3.3 and 3.4.
Those that do do not contain the problematic code.

Search for package or bug name: Reporting problems