XSS and SQL injection vulnerabilities
Cross-site scripting (XSS) vulnerability allows remote attackers to inject
arbitrary web script or HTML via a crafted MySQL table name.
SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature.
We consider these vulnerabilities to be serious.
For 2.11.x: versions before 220.127.116.11 are affected.<br /> For 3.x: versions before 18.104.22.168 are affected.
Upgrade to phpMyAdmin 22.214.171.124 or 126.96.36.199.
We wish to thank Quintin Russ for informing us in a responsible manner.
Assigned CVE ids: CVE-2009-3696 CVE-2009-3697
CWE ids: CWE-661 CWE-79 CWE-89
The following commits have been made to fix this issue:
The following commits have been made on the 2.11 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.