CVE-2008-4326 — Cross-site Scripting in Phpmyadmin

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 37.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmyadmin Debian Phpmyadmin

Timeline

PublishedSep 30

Latest updateMay 2

Description

The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/phpmyadmin< phpmyadmin 4:2.11.8.1-3 (bookworm)

▶Debianphpmyadmin/phpmyadmin< 4:2.11.8.1-3+3

▶NVDphpmyadmin/phpmyadmin2.11.9.1+137

🔴Vulnerability Details

GHSA

GHSA-x3hp-v67w-2vc2: The PMA_escapeJsString function in libraries/js_escape↗2022-05-02

▶

OSV

CVE-2008-4326: The PMA_escapeJsString function in libraries/js_escape↗2008-09-30

▶

📋Vendor Advisories

Debian

CVE-2008-4326: phpmyadmin - The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin bef...↗2008

▶

Red Hat

phpMyAdmin: XSS in MSIE using NUL byte↗

▶