CVE-2007-5386
Description
Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in phpMyAdmin 2.11.1 setup.php allows remote attackers to inject arbitrary script via query string when browser does not URL-encode requests.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in scripts/setup.php of phpMyAdmin version 2.11.1. The flaw is triggered when a browser does not URL-encode requests, causing the query string to be reflected without proper sanitization. This allows an attacker to inject arbitrary web script or HTML.
Exploitation
An attacker can craft a malicious URL containing arbitrary JavaScript in the query string. The victim must use a browser that does not URL-encode requests (e.g., older browsers or specific configurations). No authentication is required; the attacker only needs to trick the victim into visiting the crafted URL.
Impact
Successful exploitation enables the attacker to execute arbitrary HTML and script in the victim's browser within the context of the phpMyAdmin application. This can lead to session hijacking, credential theft, or other client-side attacks.
Mitigation
The vulnerability is fixed in phpMyAdmin version 2.11.1.2, released on October 15, 2007 [4]. Users should upgrade to 2.11.1.2 or later. No workaround is documented; upgrading is the recommended action.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- secunia.com/advisories/27173nvdVendor Advisory
- osvdb.org/37678nvd
- phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_1/phpMyAdmin/ChangeLognvd
- phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/nvd
- secunia.com/advisories/27506nvd
- secunia.com/advisories/27595nvd
- www.debian.org/security/2007/dsa-1403nvd
- www.digitrustgroup.com/advisories/TDG-advisory071009anvd
- www.mandriva.com/security/advisoriesnvd
- www.phpmyadmin.net/home_page/security.phpnvd
- www.securityfocus.com/archive/1/482339/100/0/threadednvd
- www.securityfocus.com/bid/26020nvd
- www.vupen.com/english/advisories/2007/3469nvd
- bugzilla.redhat.com/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/37077nvd
- sourceforge.net/tracker/index.phpnvd
- www.redhat.com/archives/fedora-package-announce/2007-November/msg00040.htmlnvd
News mentions
0No linked articles in our index yet.