CVE-2022-23808

Name of the Vulnerable Software and Affected Versions phpMyAdmin versions 5.1 through 5.1.1 phpMyAdmin version 5.1.2 is not affected, but all versions prior to 5.1.2 are vulnerable.

Description An issue was discovered in phpMyAdmin, allowing an attacker to inject malicious code into aspects of the setup script, which can enable XSS or HTML injection. This can potentially allow attackers to manipulate user accounts or bypass two-factor authentication in subsequent authentication sessions. Additionally, weaknesses were identified that allow malicious users to submit malicious information, presenting XSS or HTML injection attacks in the graphical setup page. In some scenarios, sensitive information such as database names can be part of the URL, and error messages during failed logon attempts can reveal the target database server's hostname or IP address.

Recommendations For phpMyAdmin versions 5.1 through 5.1.1, update to version 5.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the setup script until a patch is available. Avoid using the graphical setup page with untrusted input until the issue is resolved. Enable the cookie parameter "SameSite" when using PHP version 7.3 or newer to enhance security.