CVE-2011-1940
Description
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3.x before 3.3.10.1 and 3.4.x before 3.4.1 allow remote attackers to inject arbitrary web script or HTML via a crafted table name that triggers improper HTML rendering on a Tracking page, related to (1) libraries/tbl_links.inc.php and (2) tbl_tracking.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in phpMyAdmin 3.3.x and 3.4.x via crafted table name on Tracking page.
Vulnerability
phpMyAdmin versions 3.3.x before 3.3.10.1 and 3.4.x before 3.4.1 are vulnerable to multiple cross-site scripting (XSS) flaws. The vulnerabilities reside in libraries/tbl_links.inc.php and tbl_tracking.php. When a crafted table name is displayed on the Tracking page, insufficient HTML escaping allows arbitrary script injection [1][2].
Exploitation
An attacker can craft a table name containing malicious HTML or JavaScript. No authentication is required to create a table in phpMyAdmin if the attacker has database write access. When an administrator or user views the Tracking page for that table, the injected script executes in the context of the phpMyAdmin session [1].
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML into the Tracking page, potentially leading to session hijacking, defacement, or theft of sensitive data within the phpMyAdmin interface [1].
Mitigation
Upgrade to phpMyAdmin 3.3.10.1, 3.4.1, or later. The fixes are available in commit 7e10c132a3887c8ebfd7a8eee356b28375f1e287 and others [2]. No workaround is documented; upgrading is the recommended action.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 3.3.0, < 3.3.10.1 | 3.3.10.1 |
phpmyadmin/phpmyadminPackagist | >= 3.4.0, < 3.4.1 | 3.4.1 |
Affected products
18cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- (no CPE)range: <3.3.10.1 (3.3.x) or <3.4.1 (3.4.x)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.phpmyadmin.net/home_page/security/PMASA-2011-3.phpnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-4q58-5x28-53wvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-1940ghsaADVISORY
- phpmyadmin.git.sourceforge.net/git/gitweb.cginvdWEB
- phpmyadmin.git.sourceforge.net/git/gitweb.cginvdWEB
- phpmyadmin.git.sourceforge.net/git/gitweb.cgighsaWEB
- phpmyadmin.git.sourceforge.net/git/gitweb.cgighsaWEB
- www.debian.org/security/2012/dsa-2391nvdWEB
News mentions
0No linked articles in our index yet.