XSS vulnerability in SQL parser.
Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.
We consider this vulnerability to be non-critical.
This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.
Versions 4.5.x (prior to 220.127.116.11) are affected.
Upgrade to phpMyAdmin 18.104.22.168 or newer or apply patch listed below.
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2559
The following commits have been made on the 4.5 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.