CVE-2023-25727
Description
In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated user can trigger stored XSS in phpMyAdmin by uploading a crafted .sql file via the drag-and-drop interface, due to unsanitized filename output.
Overview
In phpMyAdmin versions before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger a cross-site scripting (XSS) vulnerability by uploading a specially-crafted .sql file through the drag-and-drop import interface [1][3]. The root cause is a missing escape of the uploaded filename when it is displayed in the import result dialog [4]. Specifically, the filename variable was concatenated directly into HTML via $('body').append(...) without sanitization, allowing an attacker to inject arbitrary JavaScript [4].
Exploitation
To exploit this, an attacker must have a valid phpMyAdmin session (authentication is required) and access to the drag-and-drop import feature. The attacker uploads a .sql file whose filename contains malicious HTML or JavaScript payloads. The filename is then rendered unsanitized in a `` element within the browser's DOM when the import operation completes [2][4]. No special network position is required beyond normal access to the phpMyAdmin interface.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's phpMyAdmin session. This can lead to session hijacking, credential theft, or further malicious actions within the database management interface, all under the identity of the authenticated victim user.
Mitigation
Users should upgrade to phpMyAdmin 4.9.11 or 5.2.1, which include the fix [3]. The vulnerability was patched by escaping the filename using Functions.escapeHtml() [4]. As a workaround, administrators can disable the drag-and-drop import feature by setting $cfg['enable_drag_drop_import'] = false [3]. The vulnerability has existed since version 4.3.0 and is considered moderate severity by the phpMyAdmin team [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.3.0, < 4.9.11 | 4.9.11 |
phpmyadmin/phpmyadminPackagist | >= 5.0, < 5.2.1 | 5.2.1 |
Affected products
8- phpMyAdmin/phpMyAdmindescription
- osv-coords7 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP4
< 4.9.11+ 6 more
- (no CPE)range: < 4.9.11
- (no CPE)range: >= 4.3.0, < 4.9.11
- (no CPE)range: < 4.9.11-bp153.2.6.1
- (no CPE)range: < 5.2.1-bp154.2.3.1
- (no CPE)range: < 4.9.11-58.1
- (no CPE)range: < 4.9.11-bp153.2.6.1
- (no CPE)range: < 5.2.1-bp154.2.3.1
Patches
2efa240669555Fix not escaped title when using drag and drop upload
1 file changed · +1 −1
js/src/drag_drop_import.js+1 −1 modified@@ -130,7 +130,7 @@ var DragDropImport = { var filename = $this.parent('span').attr('data-filename'); $('body').append('<div class="pma_drop_result"><h2>' + Messages.dropImportImportResultHeader + ' - ' + - filename + '<span class="close">x</span></h2>' + value.message + '</div>'); + Functions.escapeHtml(filename) + '<span class="close">x</span></h2>' + value.message + '</div>'); $('.pma_drop_result').draggable(); // to make this dialog draggable } });
53f70fd7f3b3Fix not escaped title when using drag and drop upload
1 file changed · +1 −1
js/common.js+1 −1 modified@@ -290,7 +290,7 @@ PMA_DROP_IMPORT = { var filename = $this.parent('span').attr('data-filename'); $('body').append('<div class="pma_drop_result"><h2>' + PMA_messages.dropImportImportResultHeader + ' - ' + - filename + '<span class="close">x</span></h2>' + value.message + '</div>'); + escapeHtml(filename) + '<span class="close">x</span></h2>' + value.message + '</div>'); $('.pma_drop_result').draggable(); // to make this dialog draggable } });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-6hr3-44gx-g6whghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25727ghsaADVISORY
- github.com/phpmyadmin/phpmyadmin/commit/53f70fd7f3b388639922e6cc1ca51fbe890c91ccghsaWEB
- github.com/phpmyadmin/phpmyadmin/commit/efa2406695551667f726497750d3db91fb6f662eghsaWEB
- www.phpmyadmin.net/security/PMASA-2023-1ghsaWEB
- www.phpmyadmin.net/security/PMASA-2023-1/mitre
News mentions
0No linked articles in our index yet.