CVE-2009-3696: phpMyAdmin Cross-site Scripting In MySQL Table Name
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.86854%
CWE
Published
5/2/2022
Updated
2/18/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpmyadmin/phpmyadmin | composer | >= 2.11.0, < 2.11.9.6 | 2.11.9.6 |
phpmyadmin/phpmyadmin | composer | >= 3.0.0, < 3.2.2.1 | 3.2.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit patches show: 1) Added htmlspecialchars()
to user-controlled strings in HTML contexts (XSS fixes) 2) Added PMA_sqlAddslashes()
to SQL query parameters. The unpatched versions lacked these sanitizations, making the echo statements vulnerable to XSS via table names, and SQL queries vulnerable to injection via interface parameters.