VYPR
← All advisories
Low severityNVD Advisory· Published Aug 22, 2014· Updated May 6, 2026

CVE-2014-5274

CVE-2014-5274

Description

Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyadmin/phpmyadminPackagist
>= 4.1.0, < 4.1.14.34.1.14.3
phpmyadmin/phpmyadminPackagist
>= 4.2.0, < 4.2.7.14.2.7.1

Affected products

27
  • PhpMyAdmin/phpMyAdmin25 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.0:*:*:*:*:*:*:*+ 24 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.14.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.1.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.7:*:*:*:*:*:*:*
  • OpenSUSE/openSUSE2 versions
    cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Patches

1
0cd293f5e13a

bug #4505 [security] XSS in view operations page

https://github.com/phpmyadmin/phpmyadminMadhura JayaratneAug 17, 2014via ghsa
commit
2 files changed · +4 1
  • ChangeLog+3 0 modified
    @@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.2.7.1 (2014-08-17)
+- bug #4505 [security] XSS in view operations page
+
 4.2.7.0 (2014-07-31)
 - bug       Broken links on home page
 - bug #4494 Overlap in navigation panel
  • js/functions.js+1 1 modified
    @@ -3585,7 +3585,7 @@ AJAX.registerOnload('functions.js', function () {
         var question = PMA_messages.strDropTableStrongWarning + ' ';
         question += $.sprintf(
             PMA_messages.strDoYouReally,
-            'DROP VIEW ' + PMA_commonParams.get('table')
+            'DROP VIEW ' + escapeHtml(PMA_commonParams.get('table'))
         );
 
         $(this).PMA_confirm(question, $(this).attr('href'), function (url) {

Vulnerability mechanics

Root cause

"The application fails to sanitize user-controllable input (the view name) before rendering it in the browser, leading to Cross-site Scripting (XSS)."

Attack vector

A remote authenticated user can trigger this XSS vulnerability by providing a crafted view name [CWE-79]. When the view operations page processes this name, the malicious script is injected into the web page via the confirmation dialog [patch_id=21156]. This allows the execution of arbitrary web script or HTML in the context of the victim's session.

Affected code

The vulnerability is located in `js/functions.js` within the view operations page functionality. The code fails to properly sanitize the table name before including it in a confirmation message displayed to the user [patch_id=21156].

What the fix does

The patch modifies `js/functions.js` to wrap the table name retrieved from `PMA_commonParams.get('table')` with the `escapeHtml()` function [patch_id=21156]. This ensures that any special characters in the view name are properly neutralized before being rendered in the confirmation dialog. By escaping the input, the application prevents the browser from interpreting the view name as executable HTML or script [CWE-79].

Preconditions

  • authThe attacker must be a remote authenticated user.

Reproduction

The provided references point to the commit containing the fix, which serves as the basis for understanding the vulnerability [patch_id=21156]. No specific step-by-step exploit payload is provided in the bundle.

Generated by google/gemini-3.1-flash-lite-preview on May 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.