CVE-2011-4064
Description
Cross-site scripting (XSS) vulnerability in the setup interface in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to inject arbitrary web script or HTML via a crafted value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored/reflected XSS in phpMyAdmin 3.4.x before 3.4.6 via the setup interface allows arbitrary script injection through crafted values.
Vulnerability
phpMyAdmin versions 3.4.x before 3.4.6 contain a cross-site scripting (XSS) vulnerability in the setup interface. A crafted value entered in the setup interface can trigger XSS; if the config directory exists and is writable, the payload can be stored there, making the XSS persistent. The issue is documented as PMASA-2011-16 [2].
Exploitation
An attacker must be able to submit a crafted value to the setup interface (/setup). No authentication is required if the setup interface is exposed. When the config directory is writable, the attacker can also store the XSS payload, which then executes in the browser of any administrator who subsequently visits the setup interface. The attack requires the victim to access /setup after the malicious value has been saved [2].
Impact
Successful exploitation allows injection of arbitrary HTML and JavaScript in the context of the phpMyAdmin domain. This can lead to theft of session cookies, phishing, or other malicious actions performed under the victim's privileges. The impact is limited to the setup interface and does not directly affect the main phpMyAdmin operations unless the attacker steals administrator credentials [2].
Mitigation
Upgrade to phpMyAdmin version 3.4.6 or later. Patches are available in commits ca597dc423f3eebcca95ff33b088a03e39109115 and 1af420e22367ae72ff4091adb1620e59ddad5ba6 [2]. Administrators should ensure the config directory is not world-writable, as documented in the manual. This issue is not listed in the CISA KEV catalog (as of currently available data).
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.5.0:*:*:*:*:*:*:*
- (no CPE)range: >=3.4.0, <3.4.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.phpmyadmin.net/home_page/security/PMASA-2011-16.phpnvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2011-November/069234.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-November/069235.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-November/069237.htmlnvd
- secunia.com/advisories/46874nvd
- securitytracker.com/idnvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/50175nvd
News mentions
0No linked articles in our index yet.