VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 25, 2012· Updated Apr 29, 2026

CVE-2012-5368

CVE-2012-5368

Description

phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin 3.5.x before 3.5.3 fetches version-check JavaScript over HTTP, enabling man-in-the-middle cross-site scripting attacks.

Vulnerability

phpMyAdmin versions 3.5.x prior to 3.5.3 load a JavaScript file from http://www.phpmyadmin.net/home_page/version.js over a non-SSL connection [1][3]. This script is used to display version information on the main page. Because the request is plain HTTP, an attacker on the network path can tamper with the script content. The affected code path is triggered when the main page renders the version check element (class jsversioncheck) [2].

Exploitation

An attacker must be in a man-in-the-middle (MITM) position on the network between the victim and www.phpmyadmin.net [3]. No authentication or user interaction beyond loading the phpMyAdmin main page is required. The attacker intercepts the HTTP GET request for version.js and replaces it with arbitrary JavaScript. The browser executes the modified script in the context of the phpMyAdmin application, as $.getScript is used [2].

Impact

Successful exploitation leads to cross-site scripting (XSS) [1][3]. The attacker can inject malicious JavaScript into the phpMyAdmin interface, potentially stealing session cookies, performing actions as the victim, or defacing the page. The compromise occurs within the phpMyAdmin session, granting the attacker access to database management functionality at the victim's privilege level.

Mitigation

Upgrade to phpMyAdmin 3.5.3 or later [3]. The fix changes the endpoint to a JSON file fetched via $.getJSON from http://www.phpmyadmin.net/home_page/version.json, no longer executing remote code as a script [2]. For administrators unable to upgrade immediately, a workaround is to disable the version check feature by removing the jsversioncheck element or blocking outgoing HTTP requests to phpmyadmin.net [3][4]. The vulnerability is not listed on the CISA KEV.

References
  1. NVD - CVE-2012-5368
  2. Load JSON rather than javascript from phpmyadmin.net · phpmyadmin/phpmyadmin@50edafc
  3. PMASA-2012-7
  4. phpMyAdmin CVE-2012-5368 Security Bypass Vulnerability

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyadmin/phpmyadminPackagist
>= 3.5, < 3.5.33.5.3

Affected products

8
  • PhpMyAdmin/phpMyAdmin6 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.2:*:*:*:*:*:*:*
    • (no CPE)range: <3.5.3
  • ghsa-coords2 versions
    pkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
    >= 3.5, < 3.5.3+ 1 more
    • (no CPE)range: >= 3.5, < 3.5.3
    • (no CPE)range: < 4.6.5.2-1.1

Patches

2
a547f3d3e2cf

Escape json reply received from server

https://github.com/phpmyadmin/phpmyadminMichal ČihařSep 3, 2012via ghsa
commit
1 file changed · +2 2
  • js/functions.js+2 2 modified
    @@ -132,9 +132,9 @@ function PMA_current_version(data)
 {
     var current = parseVersionString(pmaversion);
     var latest = parseVersionString(data['version']);
-    var version_information_message = PMA_messages['strLatestAvailable'] + ' ' + data['version'];
+    var version_information_message = PMA_messages['strLatestAvailable'] + ' ' + escapeHtml(data['version']);
     if (latest > current) {
-        var message = $.sprintf(PMA_messages['strNewerVersion'], data['version'], data['date']);
+        var message = $.sprintf(PMA_messages['strNewerVersion'], escapeHtml(data['version']), escapeHtml(data['date']));
         if (Math.floor(latest / 10000) == Math.floor(current / 10000)) {
             /* Security update */
             klass = 'error';
50edafc0884a

Load JSON rather than javascript from phpmyadmin.net

https://github.com/phpmyadmin/phpmyadminMichal ČihařAug 31, 2012via ghsa
commit
2 files changed · +7 7
  • js/functions.js+6 6 modified
    @@ -128,13 +128,13 @@ function parseVersionString (str)
 /**
  * Indicates current available version on main page.
  */
-function PMA_current_version()
+function PMA_current_version(data)
 {
     var current = parseVersionString(pmaversion);
-    var latest = parseVersionString(PMA_latest_version);
-    var version_information_message = PMA_messages['strLatestAvailable'] + ' ' + PMA_latest_version;
+    var latest = parseVersionString(data['version']);
+    var version_information_message = PMA_messages['strLatestAvailable'] + ' ' + data['version'];
     if (latest > current) {
-        var message = $.sprintf(PMA_messages['strNewerVersion'], PMA_latest_version, PMA_latest_date);
+        var message = $.sprintf(PMA_messages['strNewerVersion'], data['version'], data['date']);
         if (Math.floor(latest / 10000) == Math.floor(current / 10000)) {
             /* Security update */
             klass = 'error';
@@ -1734,7 +1734,7 @@ function PMA_createProfilingChartJqplot(target, data)
             seriesDefaults: {
                 renderer: $.jqplot.PieRenderer,
                 rendererOptions: {
-                    showDataLabels:  true 
+                    showDataLabels:  true
                 }
             },
             legend: {
@@ -3218,7 +3218,7 @@ $(document).ready(function() {
      * Load version information asynchronously.
      */
     if ($('.jsversioncheck').length > 0) {
-        $.getScript('http://www.phpmyadmin.net/home_page/version.js', PMA_current_version);
+        $.getJSON('http://www.phpmyadmin.net/home_page/version.json', {}, PMA_current_version);
     }
 
     /**
  • libraries/header_http.inc.php+1 1 modified
    @@ -22,7 +22,7 @@
 /* Prevent against ClickJacking by allowing frames only from same origin */
 if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) {
     header('X-Frame-Options: SAMEORIGIN');
-    header("X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' http://www.phpmyadmin.net");
+    header("X-Content-Security-Policy: allow 'self' http://www.phpmyadmin.net; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:");
     header("X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; options inline-script eval-script");
 }
 PMA_no_cache_header();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.