CVE-2019-19617: phpMyAdmin unsanitized Git information
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77599%
CWE
-
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpmyadmin/phpmyadmin | composer | < 4.9.2 | 4.9.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped output of Git metadata in HTML contexts. The patch adds htmlspecialchars() around variables like $commit_hash, $branch, $repobase, and $revision. Both identified functions directly handle Git version information display:
- GitRevision::display() builds version information links without proper escaping in the original code
- Footer::_getDemoMessage() constructs demo messages with raw Git parameters These functions output user-controlled Git data (which could be manipulated in compromised repositories) without sanitization, creating XSS vectors. The high confidence comes from the explicit patching of these specific functions with HTML escaping in the provided diff.