We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work. It was possible to trigger this attack on server_status.php.
Our team fixed also other possible XSS vulnerabilities regarding PHP_SELF, PATH_INFO, REQUEST_URI.
We consider these vulnerabilities to be serious.
Probably all versions before 220.127.116.11.
Upgrade to phpMyAdmin 18.104.22.168 or newer.
Assigned CVE ids: CVE-2007-5589
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.