CVE-2011-4782
Description
Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter in the setup interface.
Vulnerability
The vulnerability is a cross-site scripting (XSS) issue in the setup interface of phpMyAdmin, specifically in the libraries/config/ConfigFile.class.php file. It affects phpMyAdmin versions 3.4.x prior to 3.4.9. The host parameter is not properly sanitized, allowing injection of arbitrary web script or HTML. [1][4]
Exploitation
An attacker can exploit this by crafting a malicious host parameter and tricking a user into visiting the /setup page. If the config directory exists and is writable, the injected payload can be saved to that directory, making the XSS persistent. The attack requires no authentication but relies on user interaction (visiting the crafted URL). [4]
Impact
Successful exploitation enables the attacker to inject arbitrary web script or HTML into the setup interface. This can lead to information disclosure, session hijacking, or further attacks within the context of the phpMyAdmin setup environment. The impact is limited to users who access the /setup page. [4]
Mitigation
The fix is included in phpMyAdmin version 3.4.9, released on 2011-12-21. Users should upgrade to 3.4.9 or later, or apply the patch from commit 0e707906e69ce90c4852a0fce2a0fac7db86a3cd. As a workaround, ensure the config directory is not writable and avoid visiting the /setup page with untrusted input. [4]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 3.4.0, < 3.4.9 | 3.4.9 |
Affected products
14cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.8.0:*:*:*:*:*:*:*
- (no CPE)range: >=3.4.0, <3.4.9
- ghsa-coords2 versions
>= 3.4.0, < 3.4.9+ 1 more
- (no CPE)range: >= 3.4.0, < 3.4.9
- (no CPE)range: < 4.6.5.2-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- www.phpmyadmin.net/home_page/security/PMASA-2011-19.phpnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-2h23-c973-x63qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-4782ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2012-January/071523.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2012-January/071537.htmlnvdWEB
- phpmyadmin.git.sourceforge.net/git/gitweb.cginvdWEB
- phpmyadmin.git.sourceforge.net/git/gitweb.cgighsaWEB
- www.mandriva.com/security/advisoriesnvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/71938nvdWEB
News mentions
0No linked articles in our index yet.