Medium severity6.1NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026

CVE-2017-1000015

Description

phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin versions 4.0, 4.4, and 4.6 are vulnerable to CSS injection via crafted cookie parameters, allowing an attacker to alter page appearance and potentially mislead users.

Vulnerability

phpMyAdmin 4.0.x (prior to 4.0.10.19), 4.4.x (prior to 4.4.15.10), and 4.6.x (prior to 4.6.6) are vulnerable to a CSS injection attack [1][4]. The vulnerability resides in the theme handling mechanism, which does not properly sanitize cookie parameters. An attacker can inject arbitrary CSS rules by providing crafted values in pma_theme, pma_fontsize, or similar cookie parameters [2][4]. No special configuration is required; the code path is reachable as long as the application uses theme-based styling.

Exploitation

An attacker needs the ability to set arbitrary cookie values on the victim's browser. This can be achieved through cross-site scripting in another application on the same domain, or by convincing a user to click a link that triggers a cookie-setting script (e.g., using JavaScript document.cookie). Once the cookie is set, the attacker's CSS payload is applied when the victim visits any phpMyAdmin page [2][4]. The attack does not require authentication because the cookie is processed before the login page.

Impact

Successful exploitation allows an attacker to inject arbitrary CSS styles into phpMyAdmin pages. This can be used to alter the visual appearance of the interface, hide or spoof page elements, or create phishing scenarios (e.g., displaying a fake login form). The impact is limited to CSS injection; it does not directly lead to code execution or data disclosure, but can aid in social engineering attacks [1][4].

Mitigation

Upgrade to phpMyAdmin 4.0.10.19, 4.4.15.10, 4.6.6, or any later release [4]. Patches are available in the official repository (commits 8a08162, bd3677f, 3a62476) [4]. No workarounds have been published; the only reliable fix is to apply the security update. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of September 2025.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpmyadmin/phpmyadminPackagist	>= 4.6.0, < 4.6.6	4.6.6
phpmyadmin/phpmyadminPackagist	>= 4.4.0, < 4.4.15.10	4.4.15.10
phpmyadmin/phpmyadminPackagist	>= 4.0.0, < 4.0.10.19	4.0.10.19

Affected products

PhpMyAdmin/phpMyAdmin71 versions
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*+ 70 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.15:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.16:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.17:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.18:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.5:*:*:*:*:*:*:*
- (no CPE)range: 4.0, 4.4, 4.6
ghsa-coords2 versions
pkg:composer/phpmyadmin/phpmyadmin pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
>= 4.6.0, < 4.6.6+ 1 more
- (no CPE)range: >= 4.6.0, < 4.6.6
- (no CPE)range: < 5.1.1-1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/95726nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-3fgq-cmr4-97rrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-1000015ghsaADVISORY
www.phpmyadmin.net/security/PMASA-2017-4nvdVendor AdvisoryWEB
web.archive.org/web/20210123220229/http://www.securityfocus.com/bid/95726ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000