CVE-2011-4780
Description
Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters on export panels.
Vulnerability
The vulnerability resides in libraries/display_export.lib.php where URL parameters are not properly sanitized, leading to cross-site scripting (XSS). The export panels in the server, database, and table sections are affected. phpMyAdmin versions 3.4.x before 3.4.9 are vulnerable [1][2].
Exploitation
An attacker must trick a logged-in phpMyAdmin user into clicking a crafted link containing malicious URL parameters. The user must have a valid token. The attack requires user interaction and is considered non-critical due to low likelihood of success [2].
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML, potentially leading to information disclosure or session hijacking within the phpMyAdmin context.
Mitigation
Upgrade to phpMyAdmin 3.4.9 or later, or apply the patch from commit bd3735ba584e7a49aee78813845245354b061f61 [1]. No workarounds are documented.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.8.0:*:*:*:*:*:*:*
- (no CPE)range: <3.4.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.phpmyadmin.net/home_page/security/PMASA-2011-20.phpnvdPatchVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2012-January/071523.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2012-January/071537.htmlnvd
- phpmyadmin.git.sourceforge.net/git/gitweb.cginvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/51226nvd
News mentions
0No linked articles in our index yet.