Bringing MySQL to the web


Announcement-ID: PMASA-2010-6

Date: 2010-08-30


XSS attack using debugging messages.


It was possible to conduct a XSS attack using error messages in PHP backtrace.


We consider this vulnerability to be non critical.

Mitigation factor

Additional steps from administrator are required to actually exploit this issue (phpMyAdmin error reporting and collection needs to be enabled, what is against recommendation for production setup).

Affected Versions

For 3.x: versions before 3.3.6 are affected.

Unaffected Versions

Branch 2.11.x is not affected by this.


Upgrade to phpMyAdmin 3.3.6 or newer or apply patch listed below.


Thanks to Aung Khant from YGN Ethical Hacker Group, Myanmar for reporting this issue.

Assigned CVE ids: CVE-2010-2958

CWE ids: CWE-661 CWE-79


The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is