Announcement-ID: PMASA-2023-1
Date: 2023-02-07
XSS vulnerability in drag-and-drop upload
An XSS vulnerability has been discovered where an authenticated user can trigger an XSS attack by uploading a specially-crafted .sql file through the drag-and-drop interface.
We consider this vulnerability to be of moderate severity.
By disabling the configuration directive `$cfg['enable_drag_drop_import']`, users will be unable to use the drag and drop upload which would protect against the vulnerability.
phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0.
Upgrade to phpMyAdmin 5.2.1 or 4.9.11 or newer or apply patch listed below.
Thanks to a user who wishes to remain anonymous for reporting this vulnerability.
Assigned CVE ids: CVE-2023-25727
CWE ids: CWE-661
The following commits have been made on the 4.9 branch to fix this issue:
The following commits have been made on the 5.2 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.