CVE-2008-4775
Description
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in phpMyAdmin pmd_pdf.php allows remote attackers to inject arbitrary web script via the db parameter when register_globals is enabled.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the pmd_pdf.php script of phpMyAdmin versions 3.0.0, 2.11.9.2, and 3.0.1 (and possibly others) when the PHP register_globals directive is enabled. The db parameter is not properly sanitized before being reflected in the output, allowing injection of arbitrary HTML and JavaScript [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a db parameter with embedded script code. No authentication is required, and the attack is performed remotely. The only prerequisite is that register_globals is enabled on the target server, which is a deprecated PHP configuration. The attacker simply sends the crafted link to a victim who must be logged into phpMyAdmin for the script to execute in their session context.
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser within the security context of the phpMyAdmin application. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the phpMyAdmin interface.
Mitigation
The vulnerability is fixed in phpMyAdmin version 2.11.9.4 and later [2]. Users should upgrade to the latest available version. As a general security measure, disabling register_globals in PHP configuration mitigates the attack vector. No other workaround is documented [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- secunia.com/advisories/32449nvdVendor Advisory
- secunia.com/advisories/32482nvdVendor Advisory
- security.gentoo.org/glsa/glsa-200903-32.xmlnvd
- securityreason.com/securityalert/4516nvd
- www.securityfocus.com/archive/1/497815/100/0/threadednvd
- www.securityfocus.com/bid/31928nvd
- www.vupen.com/english/advisories/2008/2943nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/46136nvd
- www.redhat.com/archives/fedora-package-announce/2008-October/msg00908.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-October/msg00925.htmlnvd
News mentions
0No linked articles in our index yet.