PMASA-2023-1

Announcement-ID: PMASA-2023-1

Date: 2023-02-07

Summary

XSS vulnerability in drag-and-drop upload

Description

An XSS vulnerability has been discovered where an authenticated user can trigger an XSS attack by uploading a specially-crafted .sql file through the drag-and-drop interface.

Severity

We consider this vulnerability to be of moderate severity.

Mitigation factor

By disabling the configuration directive `$cfg['enable_drag_drop_import']`, users will be unable to use the drag and drop upload which would protect against the vulnerability.

Affected Versions

phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0.

Solution

Upgrade to phpMyAdmin 5.2.1 or 4.9.11 or newer or apply patch listed below.

References

Thanks to a user who wishes to remain anonymous for reporting this vulnerability.

Assigned CVE ids: CVE-2023-25727

CWE ids: CWE-661

Patches

The following commits have been made on the 4.9 branch to fix this issue:

The following commits have been made on the 5.2 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements