Moderate severityNVD Advisory· Published Oct 16, 2009· Updated Apr 23, 2026
CVE-2009-3696
CVE-2009-3696
Description
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in phpMyAdmin allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name.
## Vulnerability phpMyAdmin versions 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 contain a cross-site scripting (XSS) vulnerability. The issue lies in improper sanitization of MySQL table names, allowing an attacker to inject arbitrary HTML and JavaScript. This occurs when a crafted table name is processed by the application. The vulnerability is described in PMASA-2009-6 [2].
Exploitation
An attacker can exploit this vulnerability by creating or crafting a MySQL table with a malicious name containing script code. When a user views or interacts with such a table within phpMyAdmin, the injected script executes in the context of the user's session. No authentication is required if the attacker can create tables, but typical exploitation requires database write access or social engineering to have an administrator create the table [1][3].
Impact
Successful exploitation allows remote attackers to inject arbitrary web script or HTML, leading to potential session hijacking, defacement, or theft of sensitive information within the phpMyAdmin session. The XSS executes in the user's browser with the privileges of the logged-in user [1].
Mitigation
The vulnerability is fixed in phpMyAdmin versions 2.11.9.6 and 3.2.2.1, released on or around October 13, 2009 [2]. Users are advised to upgrade immediately. Red Hat released updated packages for Fedora 10, 11, and 12 [2]. No workarounds are documented; upgrading is the recommended mitigation [1][3].
References
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 2.11.0, < 2.11.9.6 | 2.11.9.6 |
phpmyadmin/phpmyadminPackagist | >= 3.0.0, < 3.2.2.1 | 3.2.2.1 |
Affected products
71cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*+ 69 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0beta1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0-alpha:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0-beta:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0-beta1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0-beta1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:rc1:*:*:*:*:*:*
- (no CPE)range: <2.11.9.6, >=3.0.0 <3.2.2.1
Patches
2212daad0c082[security] XSS and SQL injection
4 files changed · +20 −14
ChangeLog+3 −0 modified@@ -11,6 +11,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - [core] do not automatically set and create TempDir, it might lead to security issue (thanks to Thijs Kinkhorst) +2.11.9.6 (2009-10-12) +- [security] XSS and SQL injection, thanks to Herman van Rink + 2.11.9.5 (2009-03-24) - [security] XSS vulnerability on export page - [security] Insufficient output sanitizing when generating configuration file
db_operations.php+1 −1 modified@@ -463,7 +463,7 @@ <?php while ($pages = @PMA_DBI_fetch_assoc($test_rs)) { echo ' <option value="' . $pages['page_nr'] . '">' - . $pages['page_nr'] . ': ' . $pages['page_descr'] . '</option>' . "\n"; + . $pages['page_nr'] . ': ' . htmlspecialchars($pages['page_descr']) . '</option>' . "\n"; } // end while PMA_DBI_free_result($test_rs); unset($test_rs);
pdf_pages.php+6 −6 modified@@ -273,7 +273,7 @@ if (isset($chpage) && $chpage == $curr_page['page_nr']) { echo ' selected="selected"'; } - echo '>' . $curr_page['page_nr'] . ': ' . $curr_page['page_descr'] . '</option>'; + echo '>' . $curr_page['page_nr'] . ': ' . htmlspecialchars($curr_page['page_descr']) . '</option>'; } // end while echo "\n"; ?> @@ -426,12 +426,12 @@ function resetDrag() { echo "\n" . ' <td>' . "\n" . ' <select name="c_table_' . $i . '[name]">'; foreach ($selectboxall AS $key => $value) { - echo "\n" . ' <option value="' . $value . '"'; + echo "\n" . ' <option value="' . htmlspecialchars($value) . '"'; if ($value == $sh_page['table_name']) { echo ' selected="selected"'; $tabExist[$_mtab] = TRUE; } - echo '>' . $value . '</option>'; + echo '>' . htmlspecialchars($value) . '</option>'; } // end while echo "\n" . ' </select>' . "\n" . ' </td>'; @@ -459,7 +459,7 @@ function resetDrag() { echo "\n" . ' <td>' . "\n" . ' <select name="c_table_' . $i . '[name]">'; foreach ($selectboxall AS $key => $value) { - echo "\n" . ' <option value="' . $value . '">' . $value . '</option>'; + echo "\n" . ' <option value="' . htmlspecialchars($value) . '">' . htmlspecialchars($value) . '</option>'; } echo "\n" . ' </select>' . "\n" . ' </td>'; @@ -490,8 +490,8 @@ function resetDrag() { if (!empty($tabExist) && is_array($tabExist)) { foreach ($tabExist AS $key => $value) { if (!$value) { - $_strtrans .= '<input type="hidden" name="delrow[]" value="' . $key . '" />' . "\n"; - $_strname .= '<li>' . $key . '</li>' . "\n"; + $_strtrans .= '<input type="hidden" name="delrow[]" value="' . htmlspecialchars($key) . '" />' . "\n"; + $_strname .= '<li>' . htmlspecialchars($key) . '</li>' . "\n"; $shoot = TRUE; } }
pmd_pdf.php+10 −7 modified@@ -23,26 +23,29 @@ $pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']); $pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']); + $scale_q = PMA_sqlAddslashes($scale); + $pdf_page_number_q = PMA_sqlAddslashes($pdf_page_number); if (isset($exp)) { - $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number . ", ROUND(x/" . $scale . ") , ROUND(y/" . $scale . ") y FROM " . $pmd_table . " WHERE db_name = '" . $db . "'"; + $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number_q . ", ROUND(x/" . $scale_q . ") , ROUND(y/" . $scale_q . ") y FROM " . $pmd_table . " WHERE db_name = '" . PMA_sqlAddslashes($db) . "'"; PMA_query_as_cu($sql,TRUE,PMA_DBI_QUERY_STORE); } if (isset($imp)) { PMA_query_as_cu( 'UPDATE ' . $pma_table . ',' . $pmd_table . - ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale . ', - ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '.$scale.' + ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale_q . ', + ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '. $scale_q .' WHERE ' . $pmd_table . '.`db_name`=' . $pma_table . '.`db_name` AND ' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name` AND - ' . $pmd_table . '.`db_name`=\''.$db.'\' - AND pdf_page_number = '.$pdf_page_number.';',TRUE,PMA_DBI_QUERY_STORE); } + ' . $pmd_table . '.`db_name`=\''. PMA_sqlAddslashes($db) .'\' + AND pdf_page_number = ' . $pdf_page_number_q . ';', TRUE, PMA_DBI_QUERY_STORE); + } die("<script>alert('$strModifications');history.go(-2);</script>"); } @@ -76,11 +79,11 @@ <select name="pdf_page_number"> <?php $table_info_result = PMA_query_as_cu('SELECT * FROM '.PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']).' - WHERE db_name = \''.$db.'\''); + WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''); while($page = PMA_DBI_fetch_assoc($table_info_result)) { ?> - <option value="<?php echo $page['page_nr'] ?>"><?php echo $page['page_descr'] ?></option> + <option value="<?php echo $page['page_nr'] ?>"><?php echo htmlspecialchars($page['page_descr']) ?></option> <?php } ?>
8ec543499972[security] XSS and SQL injection
5 files changed · +22 −16
ChangeLog+3 −0 modified@@ -55,6 +55,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #2872247 [interface] Failed opening required 'mysql_charsets.lib.php', thanks to CyberLeo Kitsana - cyberleo - bug [structure] "In use" table incorrectly reported as "view" +3.2.2.1 (2009-10-12) +- [security] XSS and SQL injection, thanks to Herman van Rink + 3.2.2.0 (2009-09-13) - bug #2825293 [structure] Default value for a BIT column - bug [display] Red arrows were reversed in the list of tables
db_operations.php+1 −1 modified@@ -627,7 +627,7 @@ <?php while ($pages = @PMA_DBI_fetch_assoc($test_rs)) { echo ' <option value="' . $pages['page_nr'] . '">' - . $pages['page_nr'] . ': ' . $pages['page_descr'] . '</option>' . "\n"; + . $pages['page_nr'] . ': ' . htmlspecialchars($pages['page_descr']) . '</option>' . "\n"; } // end while PMA_DBI_free_result($test_rs); unset($test_rs);
db_structure.php+2 −2 modified@@ -287,7 +287,7 @@ $row_count++; if ($table_is_view) { - $hidden_fields[] = '<input type="hidden" name="views[]" value="' . $each_table['TABLE_NAME'] . '" />'; + $hidden_fields[] = '<input type="hidden" name="views[]" value="' . htmlspecialchars($each_table['TABLE_NAME']) . '" />'; } if ($each_table['TABLE_ROWS'] > 0) { @@ -373,7 +373,7 @@ <tr class="<?php echo $odd_row ? 'odd' : 'even'; $odd_row = ! $odd_row; ?>"> <td align="center"> <input type="checkbox" name="selected_tbl[]" - value="<?php echo $each_table['TABLE_NAME']; ?>" + value="<?php echo htmlspecialchars($each_table['TABLE_NAME']); ?>" id="checkbox_tbl_<?php echo $i; ?>"<?php echo $checked; ?> /></td> <th><label for="checkbox_tbl_<?php echo $i; ?>" title="<?php echo $alias; ?>" style="<?php echo $ignored ? ' ignored' : ''; ?>"><?php echo $truename; ?></label>
pdf_pages.php+6 −6 modified@@ -270,7 +270,7 @@ if (isset($chpage) && $chpage == $curr_page['page_nr']) { echo ' selected="selected"'; } - echo '>' . $curr_page['page_nr'] . ': ' . $curr_page['page_descr'] . '</option>'; + echo '>' . $curr_page['page_nr'] . ': ' . htmlspecialchars($curr_page['page_descr']) . '</option>'; } // end while echo "\n"; ?> @@ -429,12 +429,12 @@ function resetDrag() { echo "\n" . ' <td>' . "\n" . ' <select name="c_table_' . $i . '[name]">'; foreach ($selectboxall AS $key => $value) { - echo "\n" . ' <option value="' . $value . '"'; + echo "\n" . ' <option value="' . htmlspecialchars($value) . '"'; if ($value == $sh_page['table_name']) { echo ' selected="selected"'; $tabExist[$_mtab] = TRUE; } - echo '>' . $value . '</option>'; + echo '>' . htmlspecialchars($value) . '</option>'; } // end while echo "\n" . ' </select>' . "\n" . ' </td>'; @@ -462,7 +462,7 @@ function resetDrag() { echo "\n" . ' <td>' . "\n" . ' <select name="c_table_' . $i . '[name]">'; foreach ($selectboxall AS $key => $value) { - echo "\n" . ' <option value="' . $value . '">' . $value . '</option>'; + echo "\n" . ' <option value="' . htmlspecialchars($value) . '">' . htmlspecialchars($value) . '</option>'; } echo "\n" . ' </select>' . "\n" . ' </td>'; @@ -493,8 +493,8 @@ function resetDrag() { if (!empty($tabExist) && is_array($tabExist)) { foreach ($tabExist AS $key => $value) { if (!$value) { - $_strtrans .= '<input type="hidden" name="delrow[]" value="' . $key . '" />' . "\n"; - $_strname .= '<li>' . $key . '</li>' . "\n"; + $_strtrans .= '<input type="hidden" name="delrow[]" value="' . htmlspecialchars($key) . '" />' . "\n"; + $_strname .= '<li>' . htmlspecialchars($key) . '</li>' . "\n"; $shoot = TRUE; } }
pmd_pdf.php+10 −7 modified@@ -23,26 +23,29 @@ $pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']); $pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']); + $scale_q = PMA_sqlAddslashes($scale); + $pdf_page_number_q = PMA_sqlAddslashes($pdf_page_number); if (isset($exp)) { - $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number . ", ROUND(x/" . $scale . ") , ROUND(y/" . $scale . ") y FROM " . $pmd_table . " WHERE db_name = '" . $db . "'"; + $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number_q . ", ROUND(x/" . $scale_q . ") , ROUND(y/" . $scale_q . ") y FROM " . $pmd_table . " WHERE db_name = '" . PMA_sqlAddslashes($db) . "'"; PMA_query_as_controluser($sql,TRUE,PMA_DBI_QUERY_STORE); } if (isset($imp)) { PMA_query_as_controluser( 'UPDATE ' . $pma_table . ',' . $pmd_table . - ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale . ', - ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '.$scale.' + ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale_q . ', + ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '. $scale_q .' WHERE ' . $pmd_table . '.`db_name`=' . $pma_table . '.`db_name` AND ' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name` AND - ' . $pmd_table . '.`db_name`=\''.$db.'\' - AND pdf_page_number = '.$pdf_page_number.';',TRUE,PMA_DBI_QUERY_STORE); } + ' . $pmd_table . '.`db_name`=\''. PMA_sqlAddslashes($db) .'\' + AND pdf_page_number = ' . $pdf_page_number_q . ';', TRUE, PMA_DBI_QUERY_STORE); + } die("<script>alert('$strModifications');history.go(-2);</script>"); } @@ -79,11 +82,11 @@ <select name="pdf_page_number"> <?php $table_info_result = PMA_query_as_controluser('SELECT * FROM '.PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']).' - WHERE db_name = \''.$db.'\''); + WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''); while($page = PMA_DBI_fetch_assoc($table_info_result)) { ?> - <option value="<?php echo $page['page_nr'] ?>"><?php echo $page['page_descr'] ?></option> + <option value="<?php echo $page['page_nr'] ?>"><?php echo htmlspecialchars($page['page_descr']) ?></option> <?php } ?>
Vulnerability mechanics
Root cause
"Missing HTML escaping of user-controllable MySQL table names and page descriptions before output in web pages allows cross-site scripting."
Attack vector
An attacker who can create or rename a MySQL table with a crafted name containing JavaScript payloads can trigger XSS when a phpMyAdmin administrator views pages that display table names, such as the database structure page or PDF designer interface [CWE-79]. The crafted table name is stored in the database and later echoed into HTML without sanitization in multiple files including `pdf_pages.php`, `db_structure.php`, and `db_operations.php` [patch_id=18830][patch_id=18831]. No authentication bypass is required beyond having the ability to create tables with arbitrary names in a database accessible to phpMyAdmin.
Affected code
The vulnerability spans multiple files: `pdf_pages.php` (lines 273, 426-462, 490-493), `db_operations.php` (line 463 in 2.11.x, line 627 in 3.x), `db_structure.php` (lines 287, 373), and `pmd_pdf.php` (lines 23-82). All locations output user-controlled database values (table names, page descriptions) into HTML without HTML entity encoding.
What the fix does
The patches apply `htmlspecialchars()` to all user-controllable values before they are inserted into HTML output. In `pdf_pages.php` and `db_operations.php`, the `$page['page_descr']` field is wrapped with `htmlspecialchars()` [patch_id=18830][patch_id=18831]. In `db_structure.php`, `$each_table['TABLE_NAME']` is escaped in both hidden fields and checkbox values [patch_id=18831]. The `pmd_pdf.php` changes also add `PMA_sqlAddslashes()` for SQL query parameters to prevent SQL injection alongside the XSS fix [patch_id=18830][patch_id=18831].
Preconditions
- inputAttacker must be able to create or rename a MySQL table with an arbitrary name containing HTML/JavaScript
- configphpMyAdmin must have the Designer/PDF schema feature enabled (for some attack paths)
- authA victim administrator must view the affected phpMyAdmin page (e.g., database structure or PDF export page)
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
26- www.phpmyadmin.net/home_page/security/PMASA-2009-6.phpnvdPatchVendor AdvisoryWEB
- www.vupen.com/english/advisories/2009/2899nvdPatchVendor Advisory
- secunia.com/advisories/37016nvdVendor Advisory
- github.com/advisories/GHSA-5pvv-f8h3-gw96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2009-3696ghsaADVISORY
- bugs.gentoo.org/show_bug.cginvdWEB
- dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/2.11.9.6/phpMyAdmin-2.11.9.6-notes.htmlnvdWEB
- dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.2.2.1/phpMyAdmin-3.2.2.1-notes.htmlnvdWEB
- freshmeat.net/projects/phpmyadmin/releases/306667nvdWEB
- freshmeat.net/projects/phpmyadmin/releases/306669nvdWEB
- lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.htmlnvdWEB
- marc.infonvdWEB
- marc.infonvdWEB
- typo3.org/extensions/repository/view/phpmyadmin/4.5.0ghsaWEB
- typo3.org/teams/security/security-bulletins/typo3-sa-2009-015ghsaWEB
- www.mandriva.com/security/advisoriesnvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/53742nvdWEB
- github.com/phpmyadmin/phpmyadmin/commit/212daad0c082dfb853e3a4098838781a96b2ce1fghsaWEB
- github.com/phpmyadmin/phpmyadmin/commit/8ec5434999724f61d7df1f9b0b13545274c78b1eghsaWEB
- web.archive.org/web/20200228173112/http://www.securityfocus.com/bid/36658ghsaWEB
- www.redhat.com/archives/fedora-package-announce/2009-October/msg00467.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2009-October/msg00490.htmlnvdWEB
- typo3.org/extensions/repository/view/phpmyadmin/4.5.0/nvd
- typo3.org/teams/security/security-bulletins/typo3-sa-2009-015/nvd
- www.securityfocus.com/bid/36658nvd
News mentions
0No linked articles in our index yet.