Announcement-ID: PMASA-2016-9
Date: 2016-01-24
XSS vulnerability in SQL editor.
With a crafted SQL query, it is possible to trigger an XSS attack in the SQL editor.
We consider this vulnerability to be non-critical.
This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.
Versions 4.5.x (prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.5.4 or newer or apply patch listed below.
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2045
The following commits have been made on the 4.5 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.