CVE-2009-1150
Description
Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cookie-based XSS in phpMyAdmin's export page allows remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie.
Vulnerability
The export page in phpMyAdmin versions 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 contains a cross-site scripting (XSS) vulnerability in display_export.lib.php. The page accepts user settings via cookies, specifically the pma_db_filename_template cookie, which is not properly sanitized before being rendered in the export interface. This allows an attacker to inject malicious HTML or JavaScript code that will be executed in the context of the victim's session [2] [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious pma_db_filename_template cookie value containing arbitrary script or HTML. The victim must have a valid session with the vulnerable phpMyAdmin instance and visit the export page while the manipulated cookie is set. No additional authentication is required beyond the normal user session, and the attack does not require any special network position, as the cookie can be set via a cross-site request or a direct crafted link that sets the cookie [2].
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser within the phpMyAdmin domain. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The impact is limited to the phpMyAdmin application and the user's session, potentially exposing sensitive database information or administrative functions [2].
Mitigation
Upgrade to phpMyAdmin version 2.11.9.5 for the 2.11.x series or version 3.1.3.1 for the 3.x series, as these releases contain the fix. Patches are available via the phpMyAdmin Git repository: commits 184934bb10bbe9c9dcc3fe35cf2760029d1974ea (trunk) and 36ddf8b61ee17cb37c0cba666179376a2d965c61 (2.11 branch). Gentoo Linux users can upgrade to >=dev-db/phpmyadmin-2.11.9.5 via the package manager [2] [3]. No other workarounds are documented for this specific cookie-based XSS.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
42cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*+ 41 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:*
- (no CPE)range: <2.11.9.5, <3.1.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- www.phpmyadmin.net/home_page/security/PMASA-2009-2.phpnvdPatchVendor Advisory
- secunia.com/advisories/34430nvdVendor Advisory
- secunia.com/advisories/34642nvdVendor Advisory
- secunia.com/advisories/35585nvdVendor Advisory
- secunia.com/advisories/35635nvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.htmlnvd
- phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/phpMyAdmin/libraries/display_export.lib.phpnvd
- security.gentoo.org/glsa/glsa-200906-03.xmlnvd
- www.debian.org/security/2009/dsa-1824nvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/34251nvd
News mentions
0No linked articles in our index yet.