Unrated severityNVD Advisory· Published Oct 8, 2011· Updated Apr 29, 2026
CVE-2011-3598
CVE-2011-3598
Description
Multiple cross-site scripting (XSS) vulnerabilities in phpPgAdmin before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) a web page title, related to classes/Misc.php; or the (2) return_url or (3) return_desc parameter to display.php.
Affected products
17cpe:2.3:a:phppgadmin:phppgadmin:*:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:a:phppgadmin:phppgadmin:*:*:*:*:*:*:*:*range: <=5.0.2
- cpe:2.3:a:phppgadmin:phppgadmin:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:3.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:3.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phppgadmin:phppgadmin:5.0.1:*:*:*:*:*:*:*
Patches
11df248203de0Fix two security fix about XSS, reported by Mateusz Goik, fixed by ioguix.
3 files changed · +3 −3
classes/Misc.php+1 −1 modified@@ -398,7 +398,7 @@ function printHeader($title = '', $script = null, $frameset = false) { echo "<link rel=\"shortcut icon\" href=\"images/themes/{$conf['theme']}/Favicon.ico\" type=\"image/vnd.microsoft.icon\" />\n"; echo "<link rel=\"icon\" type=\"image/png\" href=\"images/themes/{$conf['theme']}/Introduction.png\" />\n"; echo "<title>", htmlspecialchars($appName); - if ($title != '') echo " - {$title}"; + if ($title != '') echo htmlspecialchars(" - {$title}"); echo "</title>\n"; if ($script) echo "{$script}\n";
display.php+1 −1 modified@@ -578,7 +578,7 @@ function doBrowse($msg = '') { // Return if (isset($_REQUEST['return_url']) && isset($_REQUEST['return_desc'])) - echo "\t<li><a href=\"{$_REQUEST['return_url']}\">{$_REQUEST['return_desc']}</a></li>\n"; + echo "\t<li><a href=\"". htmlspecialchars($_REQUEST['return_url']) ."\">". htmlspecialchars($_REQUEST['return_desc']) ."</a></li>\n"; // Edit SQL link if (isset($_REQUEST['query']))
HISTORY+1 −1 modified@@ -41,7 +41,7 @@ Bugs * Fix multiple bugs about quoting and escaping database objects names with special chars * Fix multiple bugs in the browser tree * Fix multiple bugs on the SQL and script file import form -* One security fix about code injection +* Three security fix about code injection * Don't allow inserting on a table without fields * Some fix about commenting databases * removed deprecated functions from PHP 5.3
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- sourceforge.net/mailarchive/forum.phpnvdPatch
- www.openwall.com/lists/oss-security/2011/10/04/1nvdPatch
- www.openwall.com/lists/oss-security/2011/10/04/10nvdPatch
- bugzilla.redhat.com/show_bug.cginvdPatch
- github.com/phppgadmin/phppgadmin/commit/1df248203de055f97e092b50b1dd9643ccb73842nvdPatch
- secunia.com/advisories/46248nvdVendor Advisory
- freshmeat.net/projects/phppgadmin/releases/336969nvd
- lists.fedoraproject.org/pipermail/package-announce/2011-October/067843.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-October/067846.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-October/068009.htmlnvd
- lists.opensuse.org/opensuse-updates/2012-04/msg00033.htmlnvd
- osvdb.org/75997nvd
- osvdb.org/75998nvd
- secunia.com/advisories/46426nvd
- www.securityfocus.com/bid/49914nvd
- bugs.gentoo.org/show_bug.cginvd
News mentions
0No linked articles in our index yet.