VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 30, 2008· Updated Apr 23, 2026

CVE-2008-4326

CVE-2008-4326

Description

The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin before 2.11.9.2 allows XSS bypass via a NUL byte inside a `</script` sequence when Internet Explorer is used, due to incomplete escaping in `PMA_escapeJsString`.

Vulnerability

The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin versions before 2.11.9.2 fails to properly escape a NUL byte (\0) embedded within a </script sequence. When Internet Explorer is used, the browser's HTML parser may interpret the payload differently than the escaping logic, allowing an attacker to break out of a JavaScript context and inject arbitrary HTML or JavaScript. Affected are all phpMyAdmin releases prior to 2.11.9.2 [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious input that includes a NUL byte immediately following the letters </script. For example, a string containing </script\0 can bypass the escaping function because the NUL byte terminates the sequence from the perspective of the JavaScript string literal, but the browser's HTML parser (specifically Internet Explorer) still recognizes </script as a closing script tag. The attacker typically needs to deliver the payload via a parameter that is later embedded into a JavaScript context, such as a table comment or a database name, and the victim must use Internet Explorer. No special authentication or network position is required beyond the ability to inject content into a phpMyAdmin page [1][4].

Impact

Successful exploitation leads to cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the context of the victim's phpMyAdmin session, potentially accessing session cookies, performing actions on behalf of the administrator, or defacing the interface. The impact is limited to users running Internet Explorer and interacting with a vulnerable phpMyAdmin instance. The attacker does not gain elevated privileges within the application itself but can abuse the existing session of the victim [4].

Mitigation

The fix is included in phpMyAdmin version 2.11.9.2, released on September 29, 2008 [1][2][3]. Users should upgrade to this version or later. No workaround is available for versions earlier than 2.11.9.2. If upgrading is not immediately possible, administrators may consider restricting access to phpMyAdmin or encouraging users to avoid Internet Explorer. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Downloads
  2. phpMyAdmin
  3. phpMyAdmin
  4. About Secunia Research | Flexera

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

139
  • PhpMyAdmin/phpMyAdmin139 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*+ 138 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*range: <=2.11.9.1
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.01:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_pre1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_pre2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.7_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_pre1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_pre2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_pl3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_dev:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.3_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_pl2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.7_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.1_dev:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_dev:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.9_rc1:*:*:*:*:*:*:*
    • (no CPE)range: <2.11.9.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

16

News mentions

0

No linked articles in our index yet.