VYPR
← All advisories
Low severityNVD Advisory· Published Aug 21, 2012· Updated Apr 29, 2026

CVE-2012-4345

CVE-2012-4345

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Database Structure page in phpMyAdmin 3.4.x before 3.4.11.1 and 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) a crafted table name during table creation, or a (2) Empty link or (3) Drop link for a crafted table name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin 3.4.x before 3.4.11.1 and 3.5.x before 3.5.2.2 contain multiple XSS vulnerabilities in the Database Structure page via crafted table names.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the Database Structure page of phpMyAdmin versions 3.4.x before 3.4.11.1 and 3.5.x before 3.5.2.2 [1][2]. The page fails to properly sanitize table names, allowing injection of arbitrary web script or HTML when a crafted table name is used during table creation, or when the Empty or Drop links for such a table are clicked [1]. Additional related XSS issues also affect the Table Operations, Triggers, and GIS data visualization pages [2].

Exploitation

An attacker must have authenticated access to phpMyAdmin. They can either create a table with a crafted name or rely on an existing table with a malicious name already present in the database [2]. When the Database Structure page is loaded, the crafted table name is rendered unsanitized, causing the XSS payload to execute. Alternatively, clicking the Empty or Drop links for the crafted table triggers the injection [1]. No special privileges beyond a valid user account are required.

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML into the phpMyAdmin interface, operating within the security context of the authenticated user. This can lead to session hijacking, defacement, theft of sensitive database credentials, or further attacks against the database server [1][2].

Mitigation

Upgrade to phpMyAdmin 3.4.11.1 or 3.5.2.2 or later, which contain the necessary fixes [2]. Patches are available in the referenced commits [2]. Linux distributions such as Mandriva have released updated packages (e.g., phpmyadmin-3.4.11.1) [3]. No workarounds are documented; upgrading is the recommended action.

References
  1. NVD - CVE-2012-4345
  2. PMASA-2012-4
  3. Support / Security / Advisories / / MDVSA-2012:136

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyadmin/phpmyadminPackagist
>= 3.4, < 3.4.11.13.4.11.1
phpmyadmin/phpmyadminPackagist
>= 3.5, < 3.5.2.23.5.2.2

Affected products

24
  • PhpMyAdmin/phpMyAdmin22 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
    • (no CPE)range: >=3.4.0, <3.4.11.1 || >=3.5.0, <3.5.2.2
  • ghsa-coords2 versions
    pkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
    >= 3.4, < 3.4.11.1+ 1 more
    • (no CPE)range: >= 3.4, < 3.4.11.1
    • (no CPE)range: < 4.6.5.2-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.