DescriptionMultiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before, 4.4.x before, and 4.5.x before allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-481-1, DSA-3627-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)bullseye4:5.0.4+dfsg2-2+deb11u1fixed
bookworm, sid4:5.2.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


7ddce5e39a4e12cd351732955394bc7055c280eb: file not present, vulnerability not found in wheezy
0667ea8ac7519d7e642eade2686dc393d5faeae3: vulnerability present in, but code mysteriously not found in wheezy
fe3be9f4b9edd54dc39919e7dfeaaf4a67c1cf83: vulnerability introduced in 052fd61f (3.5.1)
b8f1e0f325f8f32bd82af64111d8c2e9055a363c and 73c8245a3d1893a710447957e28dcfb18d9b47ad present in wheezy and later, patch in

Search for package or bug name: Reporting problems