CVE-2010-4480
Description
error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PhpMyAdmin error.php before 3.4.0-beta1 allows XSS via crafted BBCode tags with '@' characters, enabling arbitrary link injection.
Vulnerability
In PhpMyAdmin versions prior to 3.4.0-beta1 (including 3.3.8.1), the error.php script improperly validates user-supplied input used in BBCode parsing. Specifically, the regular expression /[a@([^"@]*)@([^"]*)\]/ allows an attacker to inject a crafted tag such as [a@url@page] where the url portion can contain arbitrary text and the page part sets the link target. The parsing does not sanitize these fields, enabling an attacker to inject a fully controlled ` element with arbitrary href and target` attributes, leading to cross-site scripting (XSS) [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link pointing to error.php with specially crafted query parameters. The attacker does not require authentication; the victim only needs to visit the crafted URL while logged into PhpMyAdmin. For example, a URL like http://target/phpmyadmin/error.php?type=...&error=...%5Ba%40http://evil.com%40_self%5DClick%5B%2Fa%5D will cause the application to render an HTML link pointing to http://evil.com with target="_self". The attacker can use this to redirect the victim to a malicious site or execute client-side scripts via javascript: URLs in the href [2].
Impact
Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the error page viewed by the victim. This can lead to session hijacking, phishing attacks (by displaying fake login forms), or redirection to malicious websites. The impact is considered minor by the vendor because the affected page is only used to display error messages, and the attack requires user interaction (clicking the crafted link) [1]. However, the XSS could be used in a broader chain of attacks.
Mitigation
The fix is included in PhpMyAdmin 3.4.0-beta1, released 2010-12-07. Users are advised to upgrade to that version or later. For users on the 3.3 branch, the patch commit 9ebd401b0ea4efea8ddc8cd846da559bf420ccaa should be applied. Additionally, the issue is resolved in commit aa6fec0532a9dd48d4e35831c1b1c9785c124dd7 (for the main branch) and b01a58118f973f98ab99a4bb28d340af49fa251f (for the 2.11 branch). No workarounds are provided other than upgrading or applying the patch [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*
- (no CPE)range: <3.4.0-beta1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- www.exploit-db.com/exploits/15699nvdExploit
- secunia.com/advisories/42485nvdVendor Advisory
- secunia.com/advisories/42725nvdVendor Advisory
- www.vupen.com/english/advisories/2010/3133nvdVendor Advisory
- www.vupen.com/english/advisories/2011/0001nvdVendor Advisory
- www.vupen.com/english/advisories/2011/0027nvdVendor Advisory
- www.debian.org/security/2010/dsa-2139nvd
- www.mandriva.com/security/advisoriesnvd
- www.phpmyadmin.net/home_page/security/PMASA-2010-9.phpnvd
- www.securityfocus.com/bid/45633nvd
News mentions
0No linked articles in our index yet.