1. It was possible to conduct an XSS attack with a crafted lang or theme parameter.
2. The db parameter was also vulnerable to an XSS attack.
We consider these vulnerabilities to be serious.
 All 2.8.0.x releases before 184.108.40.206 are affected, previous versions are not.<br />  Some releases before 220.127.116.11 are affected (2.6.2 tested vulnerable).
Upgrade to phpMyAdmin 18.104.22.168.
We wish to thank Sven Vetsch/Disenchant for informing us in a responsible manner. His site is http://www.disenchant.ch.
Assigned CVE ids: CVE-2006-2031
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.