CVE-2008-2960
Description
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin before 2.11.7 is vulnerable to cross-site scripting via scripts in libraries/ when register_globals is on and .htaccess is disabled.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in phpMyAdmin versions before 2.11.7. The flaw resides in various scripts within the /libraries directory. The code path is reachable on insecure PHP installations where both register_globals is enabled and the web server does not apply the .htaccess restrictions placed in the /libraries directory [4].
Exploitation
An attacker can exploit this vulnerability by sending a crafted request that injects arbitrary web script or HTML into the application. No authentication is required; the attacker only needs to be able to make HTTP requests to the affected phpMyAdmin instance. The attack vector is network-based, and user interaction (e.g., clicking a link) may be required to trigger the XSS in a victim's browser.
Impact
Successful exploitation allows remote attackers to inject and execute arbitrary HTML or JavaScript in the context of the victim's session. This can lead to information disclosure (e.g., stealing session cookies), redirection to malicious sites, or other actions that compromise the confidentiality and integrity of the phpMyAdmin session.
Mitigation
The vulnerability is fixed in phpMyAdmin version 2.11.7 and later [4]. Administrators should upgrade immediately. If upgrading is not possible, ensure that register_globals is disabled (off) in php.ini and that the web server enforces .htaccess overrides (AllowOverride All for the /libraries directory). The .htaccess file in /libraries restricts direct access to those scripts, which is a secondary mitigation [4]. No known workaround exists if these conditions cannot be met; upgrading is the recommended action.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0beta1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6rc1:*:*:*:*:*:*:*
- (no CPE)range: <2.11.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- secunia.com/advisories/30813nvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.htmlnvd
- secunia.com/advisories/30816nvd
- secunia.com/advisories/33822nvd
- www.mandriva.com/security/advisoriesnvd
- www.openwall.com/lists/oss-security/2008/07/16/11nvd
- www.phpmyadmin.net/home_page/downloads.phpnvd
- www.phpmyadmin.net/home_page/security.phpnvd
- www.vupen.com/english/advisories/2008/1904/referencesnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/43320nvd
News mentions
0No linked articles in our index yet.