Headline

GHSA-6hr3-44gx-g6wh: XSS vulnerability in drag-and-drop upload of phpMyAdmin

In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive $cfg['enable_drag_drop_import'], users will be unable to use the drag and drop upload which would protect against the vulnerability.

1 year ago

ghsa

Open in Source

#sql #xss #vulnerability #git #php #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2023-25727

XSS vulnerability in drag-and-drop upload of phpMyAdmin

Moderate severity GitHub Reviewed Published Feb 13, 2023 to the GitHub Advisory Database • Updated Feb 14, 2023

Package

composer phpmyadmin/phpmyadmin (Composer)

Affected versions

>= 4.3.0, < 4.9.11

>= 5.0, < 5.2.1

Patched versions

4.9.11

5.2.1

Description

Last updated

Feb 14, 2023

Published to the GitHub Advisory Database

Feb 13, 2023

Published by the National Vulnerability Database

Feb 13, 2023

Related news

CVE-2023-25727: Security - PMASA-2023-1

In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.

1 year ago

CVE

Open in Source

#sql #xss #vulnerability #web #php #auth