-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unescaped filename insertion in drag-and-drop upload result messages. The GitHub patches (53f70fd and efa2406) explicitly show the fix: wrapping 'filename' with escapeHtml() in both js/common.js and js/src/drag_drop_import.js. The original code concatenated raw filenames into HTML, making the AJAX success handlers in these files the vulnerable points. Both locations handle user-controlled filenames without sanitization, directly causing XSS.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| phpmyadmin/phpmyadmin | composer | >= 4.3.0, < 4.9.11 | 4.9.11 |
| phpmyadmin/phpmyadmin | composer | >= 5.0, < 5.2.1 | 5.2.1 |