PMASA-2018-8
Announcement-ID: PMASA-2018-8
Date: 2018-12-07
Summary
XSS vulnerability in navigation tree
Description
A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name.
Severity
We consider this attack to be of moderate severity.
Mitigation factor
The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms.
Affected Versions
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected
Solution
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.
References
Thanks to YU-HSIANG HUANG (huang.yuhsiang.phone@gmail.com), YUNG-HAO TSENG, and Eddie TC CHANG for reporting this vulnerability.
Assigned CVE IDs: CVE-2018-19970
Patches
The following commits have been made on the 4.8 branch to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.