Bringing MySQL to the web


Announcement-ID: PMASA-2010-5

Date: 2010-08-20


Several XSS vulnerabilities were found in the code.


It was possible to conduct a XSS attack using crafted URLs or POST parameters on several pages.


We consider this vulnerability to be serious.

Mitigation factor

If the auth_type directive is set to 'config' and the directory is not protected, these attacks are more likely to succeed; otherwise, an attacker would need to obtain a valid token via another flaw on the server to be able to exploit these vulnerabilities.

Affected Versions

For 2.11.x: versions before are affected.<br /> For 3.x: versions before are affected.


Upgrade to phpMyAdmin or or newer or apply patch listed below.


Thanks to Aung Khant from YGN Ethical Hacker Group, Myanmar for reporting this issue. See their advisory for more details. After this report the team did audit the code as well and discovered more issues which are fixed as well.

Assigned CVE ids: CVE-2010-3056

CWE ids: CWE-661 CWE-79


The following commits have been made to fix this issue:

The following commits have been made on the 2.11 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is