Bringing MySQL to the web


Announcement-ID: PMASA-2011-3

Date: 2011-05-22


XSS vulnerability on Tracking page.


It was possible to create a crafted table name that leads to XSS.


We consider this vulnerability to be serious.

Mitigation factor

This vulnerability works in the context of a shared phpMyAdmin installation. The attacker needs to convince a victim to go to the Tracking page that relates to the crafted table.

Affected Versions

The 3.3.x and 3.4.0 versions are affected.

Unaffected Versions

Older releases than 3.3.0 are not affected.


Upgrade to phpMyAdmin or 3.4.1 or apply the related patch listed below.


This issue was found by a person who wishes to be known as "dave b".

Assigned CVE ids: CVE-2011-1940

CWE ids: CWE-661 CWE-79


The following commits have been made to fix this issue:

The following commits have been made on the 3.3.10 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is