Bringing MySQL to the web


Announcement-ID: PMASA-2013-10

Date: 2013-08-04

Updated: 2013-08-05


ClickJacking protection can be bypassed.


phpMyAdmin has a number of mechanisms to avoid a clickjacking attack, however these mechanisms either work only in modern browser versions, or can be bypassed.


We consider this vulnerability serious.

Affected Versions

Versions 3.5.x and 4.0.x (prior to 4.0.5) are affected.


Upgrade to phpMyAdmin 4.0.5 or newer or apply the patches listed below. We have no solution for 3.5.x, due to the proposed solution requiring JavaScript. We don't want to introduce a dependency to JavaScript in the 3.5.x family.


Thanks to Emanuel Bronshtein for reporting this issue. For more details, please refer to this report.

Assigned CVE ids: CVE-2013-5029

CWE ids: CWE-661 CWE-693


The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is