Unrated severityNVD Advisory· Published Aug 29, 2011· Updated Apr 29, 2026

CVE-2011-3181

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Tracking feature in phpMyAdmin 3.3.x before 3.3.10.4 and 3.4.x before 3.4.4 allow remote attackers to inject arbitrary web script or HTML via a (1) table name, (2) column name, or (3) index name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin 3.3.x before 3.3.10.4 and 3.4.x before 3.4.4 have multiple XSS in the Tracking feature via table, column, or index names.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the Tracking feature of phpMyAdmin versions 3.3.x before 3.3.10.4 and 3.4.x before 3.4.4 [1][2]. The lack of sanitization on table names, column names, and index names allows an attacker to inject arbitrary web script or HTML [1].

Exploitation

An attacker must be logged into phpMyAdmin to exploit this issue [1][2]. The attacker can inject malicious script via a crafted table name, column name, or index name during tracking operations [1]. No additional privileges beyond standard user login are required [1].

Impact

Successful exploitation leads to arbitrary script execution in the context of the affected phpMyAdmin session, potentially resulting in information disclosure, session hijacking, or other client-side attacks [1][2]. The impact is limited to actions that the authenticated user can perform [1].

Mitigation

Upgrade to phpMyAdmin 3.3.10.4 or 3.4.4, or apply the patches listed in the official advisory [1]. The fix commits are available for both the 3.3 and 3.4 branches [1]. Users unable to upgrade should ensure they use only trusted data for table, column, and index names [1].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

PhpMyAdmin/phpMyAdmin25 versions
cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*+ 24 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.2:*:*:*:*:*:*:*
- (no CPE)range: >=3.3.0, <=3.3.10.3 || >=3.4.0, <=3.4.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000