VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 24, 2010· Updated Apr 29, 2026

CVE-2010-3056

CVE-2010-3056

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) db_search.php, (2) db_sql.php, (3) db_structure.php, (4) js/messages.php, (5) libraries/common.lib.php, (6) libraries/database_interface.lib.php, (7) libraries/dbi/mysql.dbi.lib.php, (8) libraries/dbi/mysqli.dbi.lib.php, (9) libraries/db_info.inc.php, (10) libraries/sanitizing.lib.php, (11) libraries/sqlparser.lib.php, (12) server_databases.php, (13) server_privileges.php, (14) setup/config.php, (15) sql.php, (16) tbl_replace.php, and (17) tbl_sql.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin versions 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 contain multiple XSS flaws allowing arbitrary web script or HTML injection via crafted URLs or POST parameters.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1. The flaws affect numerous pages including db_search.php, db_sql.php, db_structure.php, js/messages.php, libraries/common.lib.php, libraries/database_interface.lib.php, libraries/dbi/mysql.dbi.lib.php, libraries/dbi/mysqli.dbi.lib.php, libraries/db_info.inc.php, libraries/sanitizing.lib.php, libraries/sqlparser.lib.php, server_databases.php, server_privileges.php, setup/config.php, sql.php, tbl_replace.php, and tbl_sql.php [1]. The input is not properly escaped before being reflected in output, enabling XSS attacks [2].

Exploitation

An attacker can inject arbitrary web script or HTML by crafting malicious URLs or POST parameters and tricking a victim into visiting them [1][2]. If the auth_type directive is set to 'config' and the directory is not protected, these attacks are more likely to succeed; otherwise, the attacker would need to obtain a valid token via another flaw on the server [2]. Proof-of-concept images demonstrate exploitation on pages such as db_sql.php, db_structure.php, server_databases.php, server_privileges.php, and sql.php [1].

Impact

Successful exploitation allows remote attackers to inject arbitrary web script or HTML in the context of the phpMyAdmin session, potentially leading to session hijacking, credential theft, or further compromise of the MySQL administration interface [2]. The severity is considered serious [2], with CWE-79 (Improper Neutralization of Input During Web Page Generation) classification [3].

Mitigation

Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1 or newer [2]. The fixes are contained in commits such as 48e909660032ddcbc13172830761e363e7a64d72, be0f47a93141e2950ad400b8d22a2a98512825c2, and others [2]. Red Hat tracking indicates the issue was addressed for Fedora and EPEL [3]. No known exploitation in the wild has been reported by CISA KEV as of the publication date.

References
  1. http://yehg.net/lab/pr0js/advisories/phpmyadmin/%5Bphpmyadmin-3.3.5%5D_cross_site_scripting%28XSS%29
  2. PMASA-2010-5
  3. several XSS vulnerabilities fixed in 3.3.5.1/2.11.10.1

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

59
  • PhpMyAdmin/phpMyAdmin59 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*+ 58 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:alpha:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:rc2:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*
    • (no CPE)range: <2.11.10.1 and <3.3.5.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Multiple phpMyAdmin scripts fail to escape user-controllable input before including it in HTML output, enabling stored and reflected cross-site scripting."

Attack vector

An attacker crafts a malicious URL containing JavaScript payloads in one of the unescaped parameters (e.g., `sort`, `sort_by`, `db`, `QUERY_STRING`) and tricks a logged-in phpMyAdmin user into clicking the link [ref_id=1]. When the victim's browser renders the page, the injected script executes in the context of the phpMyAdmin session, allowing the attacker to steal session cookies or perform arbitrary SQL operations on the victim's behalf [ref_id=1]. The attack requires no special privileges and can be delivered via email, forum posts, or any mechanism that sends a crafted URL to an authenticated user [CWE-79].

Affected code

The vulnerability affects numerous phpMyAdmin scripts including db_search.php, db_sql.php, db_structure.php, js/messages.php, server_databases.php, server_privileges.php, setup/config.php, sql.php, and tbl_replace.php [ref_id=1]. Specific user-controllable parameters such as `sort`, `sort_by`, `QUERY_STRING`, `delimiter`, `db`, `checkprivs`, `dbname`, `username`, `DefaultLang`, `goto`, `table`, `zero_rows`, and dynamic field names are not properly escaped before being placed in output [ref_id=1].

What the fix does

The vendor released phpMyAdmin 3.3.5.1 and 2.11.10.1 to address these issues [ref_id=1]. The advisory does not include a patch diff, but the solution is to upgrade to these patched versions, which properly escape user-controllable input before rendering it in HTML output [ref_id=1]. No further technical details about the specific sanitization changes are provided in the available references.

Preconditions

  • inputAttacker must craft a URL with malicious JavaScript in one of the unescaped parameters
  • authVictim must be logged into phpMyAdmin and click the crafted link
  • networkNo special network position required; attack can be delivered remotely via any link-sharing channel

Reproduction

The advisory provides screenshot-based PoCs but no step-by-step textual reproduction instructions [ref_id=1]. Example URLs with affected parameters include: `http://target/phpmyadmin/db_sql.php?QUERY_STRING=

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.