We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work. It was possible to trigger this attack on server_status.php.
Our team fixed also other possible XSS vulnerabilities regarding PHP_SELF, PATH_INFO, REQUEST_URI.
We consider these vulnerabilities to be serious.
Probably all versions before 126.96.36.199.
Upgrade to phpMyAdmin 188.8.131.52 or newer.
Assigned CVE ids: CVE-2007-5589
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.