CVE-2018-12581
Description
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Scripting in phpMyAdmin Designer feature via crafted database name allows remote attackers to execute arbitrary script in users' browsers.
Vulnerability
A Cross-Site Scripting (XSS) vulnerability exists in the js/designer/move.js file of phpMyAdmin versions before 4.8.2 [1]. The Designer feature does not properly escape database names when generating URLs, allowing an attacker to inject arbitrary JavaScript code via a crafted database name [1][2].
Exploitation
An attacker must have the ability to create or rename a database with a malicious name containing JavaScript payload. When a user accesses the Designer feature referencing that database, the injected script executes in the user's browser context [3]. No authentication is required for the attacker to create a database if they have database creation privileges, but the victim must be an authenticated phpMyAdmin user [2].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the victim's browser within the phpMyAdmin session. This can lead to theft of authentication cookies, access to recently submitted form data, or actions performed on behalf of the victim user, potentially compromising the entire phpMyAdmin installation [4].
Mitigation
The vendor has released phpMyAdmin version 4.8.2, which fixes the issue by properly escaping database names in URLs [3]. Users should upgrade to this version or later. No workarounds are available for earlier versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | < 4.8.2 | 4.8.2 |
Affected products
3- Range: <4.8.2
- ghsa-coords2 versions
< 4.8.2+ 1 more
- (no CPE)range: < 4.8.2
- (no CPE)range: < 5.1.1-1.2
Patches
16943fff87324Escape database name in URL
1 file changed · +1 −1
js/designer/move.js+1 −1 modified@@ -1117,7 +1117,7 @@ function Load_page (page) { if (page !== null) { param_page = argsep + 'page=' + page; } - $('<a href="db_designer.php?server=' + server + argsep + 'db=' + db + param_page + '"></a>') + $('<a href="db_designer.php?server=' + server + argsep + 'db=' + encodeURI(db) + param_page + '"></a>') .appendTo($('#page_content')) .click(); } else {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-vxj6-pm6r-23hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-12581ghsaADVISORY
- www.securityfocus.com/bid/104530mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041187mitrevdb-entryx_refsource_SECTRACK
- github.com/phpmyadmin/phpmyadmin/commit/6943fff87324bd54c3a37a5160a5fb77498c355eghsaWEB
- web.archive.org/web/20210124181711/http://www.securityfocus.com/bid/104530ghsaWEB
- web.archive.org/web/20210413204012/http://www.securitytracker.com/id/1041187ghsaWEB
- www.phpmyadmin.net/security/PMASA-2018-3ghsaWEB
- www.phpmyadmin.net/security/PMASA-2018-3/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.