GHSA-6hr3-44gx-g6wh

Source

https://github.com/advisories/GHSA-6hr3-44gx-g6wh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-6hr3-44gx-g6wh/GHSA-6hr3-44gx-g6wh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6hr3-44gx-g6wh

Aliases

Published

2023-02-13T06:30:59Z

Modified

2025-03-21T15:52:59.263497Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin

Details

In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive $cfg['enable_drag_drop_import'], users will be unable to use the drag and drop upload which would protect against the vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2023-02-13T06:15:00Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2023-02-14T00:43:33Z"
}

References

Affected packages

Packagist / phpmyadmin/phpmyadmin

Package

Name: phpmyadmin/phpmyadmin
Purl: pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

4.9.11

Affected versions

4.*

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.7.8

4.7.9

4.8.0

4.8.0.1

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.9.0

4.9.0.1

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.9.8

4.9.9

4.9.10

Packagist / phpmyadmin/phpmyadmin

Package

Name: phpmyadmin/phpmyadmin
Purl: pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0

Fixed

5.2.1

Affected versions

5.*

5.0.0

5.0.0.1

5.0.1

5.0.2

5.0.3

5.0.4

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0