Miggo Logo

CVE-2018-15605: phpMyAdmin Cross-site Scripting (XSS) in the import dialog

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.73958%
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer< 4.8.34.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output sanitization in warning message handling during file imports. The commit diff shows the fix added Message::sanitize() to the $warning parameter in this function. Before the patch, the raw $warning input (from imported files) was passed to Message::notice() and rendered via getDisplay(), enabling HTML/script injection. This matches the described XSS vulnerability pattern where user-controlled input isn't properly neutralized before web page generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in p*pMy**min ***or* *.*.*. * *ross-Sit* S*riptin* vuln*r**ility **s ***n *oun* w**r* *n *tt**k*r **n us* * *r**t** *il* to m*nipul*t* *n *ut**nti**t** us*r w*o lo**s t**t *il* t*rou** t** import ***tur*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r output s*nitiz*tion in w*rnin* m*ss*** **n*lin* *urin* *il* imports. T** *ommit *i** s*ows t** *ix ***** `M*ss***::s*nitiz*()` to t** $w*rnin* p*r*m*t*r in t*is *un*tion. ***or* t** p*t**, t** r*w $w*rnin* input