XSS vulnerability in navigation tree
A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name.
We consider this attack to be of moderate severity.
The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms.
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.
Assigned CVE ids: CVE-2018-19970
The following commits have been made on the 4.8 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.