CVE-2008-3457
Description
Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. NOTE: this issue can only be exploited in limited scenarios in which the attacker must be able to modify config/config.inc.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PhpMyAdmin before 2.11.8 has a cross-site scripting vulnerability in setup.php, exploitable only when an attacker can modify config/config.inc.php.
Vulnerability
Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before version 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. This issue can only be exploited in limited scenarios where the attacker must be able to modify config/config.inc.php. [1]
Exploitation
An attacker must be able to write to the config/config.inc.php file. The attacker then crafts setup arguments that contain malicious script. When a legitimate user accesses setup.php with these crafted arguments, the script executes in the user's browser. The attack is user-assisted, requiring the victim to visit the manipulated setup page. [1]
Impact
Successful exploitation leads to arbitrary web script or HTML injection, allowing the attacker to execute malicious scripts in the context of the victim's browser. This could result in data theft, session hijacking, or other client-side attacks. [1]
Mitigation
Upgrade to phpMyAdmin version 2.11.8 or newer. The fix is included in commits 0bfb27fb0538f43e9c49b6a183b767c2bed1524d and 6a5e53c31bcbcadcb5d16cffaa3b9af181b26296. No workaround is provided; users should apply the update immediately. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
43cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*+ 42 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*range: <=2.11.7.0
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.01:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.2:*:*:*:*:*:*:*
- (no CPE)range: <2.11.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- yehg.net/lab/pr0js/advisories/XSS_inPhpMyAdmin2.11.7.pdfnvdExploit
- secunia.com/advisories/31263nvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.htmlnvd
- secunia.com/advisories/31312nvd
- secunia.com/advisories/32834nvd
- www.debian.org/security/2008/dsa-1641nvd
- www.mandriva.com/security/advisoriesnvd
- www.phpmyadmin.net/home_page/security.phpnvd
- www.securityfocus.com/bid/30420nvd
- www.vupen.com/english/advisories/2008/2226/referencesnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/44052nvd
- www.redhat.com/archives/fedora-package-announce/2008-July/msg01239.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-July/msg01316.htmlnvd
News mentions
0No linked articles in our index yet.