Marc Delisle

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.1 phpMyAdmin versions 4.1.x through 4.1.14.2 phpMyAdmin versions 4.2.x through 4.2.7.0 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via several pages, including the browse table page related to js/sql.js, the ENUM editor page related to js/functions.js, the monitor page related to js/server status monitor.js, the query charts page related to js/tbl chart.js, or the table relations page related to libraries/tbl relation.lib.php. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.1, update to version 4.0.10.2 or later. For phpMyAdmin versions 4.1.x through 4.1.14.2, update to version 4.1.14.3 or later. For phpMyAdmin versions 4.2.x through 4.2.7.0, update to version 4.2.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.1.x through 4.1.14.2 phpMyAdmin versions 4.2.x through 4.2.7.0 **Description** A cross-site scripting (XSS) issue exists in the view operations page, allowing remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to the `js/functions.js` file. **Recommendations** For phpMyAdmin versions 4.1.x through 4.1.14.2, update to version 4.1.14.3 or later. For phpMyAdmin versions 4.2.x through 4.2.7.0, update to version 4.2.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.2 phpMyAdmin versions 4.1.x through 4.1.14.3 phpMyAdmin versions 4.2.x through 4.2.8.0 **Description** A cross-site scripting (XSS) issue exists in the micro history implementation, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL, related to js/ajax.js. This could lead to a cross-site request forgery (CSRF) attack, potentially resulting in the creation of a root account. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.2, update to version 4.0.10.3 or later. For phpMyAdmin versions 4.1.x through 4.1.14.3, update to version 4.1.14.4 or later. For phpMyAdmin versions 4.2.x through 4.2.8.0, update to version 4.2.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.2.x through 4.2.5 **Description** A cross-site scripting (XSS) issue exists due to improper handling of crafted table comments during the construction of a database structure page. This allows remote authenticated users to inject arbitrary web script or HTML. The issue is related to the PMA getHtmlForActionLinks function in libraries/structure.lib.php. **Recommendations** For phpMyAdmin versions 4.2.x through 4.2.5, update to version 4.2.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the database structure page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.1.x through 4.1.14.1 phpMyAdmin versions 4.2.x through 4.2.5 **Description** The issue allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request. **Recommendations** For phpMyAdmin versions 4.1.x through 4.1.14.1, update to version 4.1.14.2 or later. For phpMyAdmin versions 4.2.x through 4.2.5, update to version 4.2.6 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.0 phpMyAdmin versions 4.1.x through 4.1.14.1 phpMyAdmin versions 4.2.x through 4.2.5 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the PMA TRI getRowForList function. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.0, update to version 4.0.10.1 or later. For phpMyAdmin versions 4.1.x through 4.1.14.1, update to version 4.1.14.2 or later. For phpMyAdmin versions 4.2.x through 4.2.5, update to version 4.2.6 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.0 phpMyAdmin versions 4.1.x through 4.1.14.1 phpMyAdmin versions 4.2.x through 4.2.5 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via a crafted table name or column name that is improperly handled during construction of an AJAX confirmation message. This occurs due to multiple cross-site scripting (XSS) vulnerabilities in js/functions.js. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.0, update to version 4.0.10.1 or later. For phpMyAdmin versions 4.1.x through 4.1.14.1, update to version 4.1.14.2 or later. For phpMyAdmin versions 4.2.x through 4.2.5, update to version 4.2.6 or later.