1. It was possible to conduct an XSS attack with a crafted lang or theme parameter.
2. The db parameter was also vulnerable to an XSS attack.
We consider these vulnerabilities to be serious.
 All 2.8.0.x releases before 220.127.116.11 are affected, previous versions are not.<br />  Some releases before 18.104.22.168 are affected (2.6.2 tested vulnerable).
Upgrade to phpMyAdmin 22.214.171.124.
We wish to thank Sven Vetsch/Disenchant for informing us in a responsible manner. His site is http://www.disenchant.ch.
Assigned CVE ids: CVE-2006-2031
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.