Miggo Logo
Miggo Vulnerability Database
CVE-2018-15605

CVE-2018-15605: phpMyAdmin Cross-site Scripting (XSS) in the import dialog

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-15605
GHSA ID
GHSA-c958-4j9x-q7w4
EPSS Score
0.73958%
CWE
CWE-79
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer< 4.8.34.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output sanitization in warning message handling during file imports. The commit diff shows the fix added Message::sanitize() to the $warning parameter in this function. Before the patch, the raw $warning input (from imported files) was passed to Message::notice() and rendered via getDisplay(), enabling HTML/script injection. This matches the described XSS vulnerability pattern where user-controlled input isn't properly neutralized before web page generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in p*pMy**min ***or* *.*.*. * *ross-Sit* S*riptin* vuln*r**ility **s ***n *oun* w**r* *n *tt**k*r **n us* * *r**t** *il* to m*nipul*t* *n *ut**nti**t** us*r w*o lo**s t**t *il* t*rou** t** import ***tur*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r output s*nitiz*tion in w*rnin* m*ss*** **n*lin* *urin* *il* imports. T** *ommit *i** s*ows t** *ix ***** `M*ss***::s*nitiz*()` to t** $w*rnin* p*r*m*t*r in t*is *un*tion. ***or* t** p*t**, t** r*w $w*rnin* input