CVE-2018-19970
Description
In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin before 4.8.4 has a stored XSS in the navigation tree via crafted database/table names.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the navigation tree component of phpMyAdmin versions 4.0 through 4.8.3. The bug allows an attacker to craft a database or table name containing a malicious payload, which is then rendered unsanitized in the navigation tree interface when a logged-in user browses the database server [1][3].
Exploitation
An attacker must first have valid credentials to log in to phpMyAdmin and create databases or tables, as the token-based protection prevents unauthenticated users from accessing the required forms [3]. Once authenticated, the attacker creates a database or table with a name containing embedded JavaScript (e.g., ``). When the victim (also logged in) views the navigation tree, the payload executes in the context of the phpMyAdmin session [1][3]. No additional user interaction beyond navigating the tree is required.
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser within the phpMyAdmin application context. This can lead to session hijacking, credential theft, or manipulation of the database management interface [1][3]. The attack is limited to authenticated users but can affect multiple users within the organization.
Mitigation
The vulnerability is fixed in phpMyAdmin 4.8.4, released December 7, 2018 [3]. Users should upgrade to version 4.8.4 or later. If upgrading is not immediately possible, the commit b293ff5f234ef493336ed8638f623a12164d359e on the 4.8 branch provides a patch [3]. There is no known workaround [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.0, < 4.8.4 | 4.8.4 |
Affected products
3- Range: <4.8.4
- ghsa-coords2 versions
>= 4.0, < 4.8.4+ 1 more
- (no CPE)range: >= 4.0, < 4.8.4
- (no CPE)range: < 5.1.1-1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-8987-93fh-rcwqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19970ghsaADVISORY
- security.gentoo.org/glsa/201904-16ghsavendor-advisoryx_refsource_GENTOOWEB
- www.securityfocus.com/bid/106181ghsavdb-entryx_refsource_BIDWEB
- lists.debian.org/debian-lts-announce/2019/02/msg00003.htmlghsamailing-listx_refsource_MLISTWEB
- www.phpmyadmin.net/security/PMASA-2018-8ghsaWEB
- www.phpmyadmin.net/security/PMASA-2018-8/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.