Fluid Attacks Database

Description

Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive $cfg['enable_drag_drop_import'], users will be unable to use the drag and drop upload which would protect against the vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	phpmyadmin	>=0 <4:5.2.1+dfsg-1	4:5.2.1+dfsg-1
packagist	phpmyadmin/phpmyadmin	>=4.3.0 <4.9.11 \|\| >=5.0 <5.2.1	4.9.11, 5.2.1
debian 11	phpmyadmin	=4:5.0.4+dfsg2-2 \|\| =4:5.0.4+dfsg2-2+deb11u1 \|\| >=0 <4:5.0.4+dfsg2-2+deb11u2	4:5.0.4+dfsg2-2+deb11u2
debian 12	phpmyadmin	>=0 <4:5.2.1+dfsg-1	4:5.2.1+dfsg-1

Aliases

1. CVE-2023-257272. NVD-2023-257273. OSV-DEBIAN-2023-257274. OSV-2023-257275. GCVE-2023-257276. SECURITY-TRACKER-CVE-2023-25727

References

1. https://github.com/phpmyadmin/phpmyadmin/commit/53f70fd7f3b388639922e6cc1ca51fbe890c91cc2. https://github.com/phpmyadmin/phpmyadmin/commit/efa2406695551667f726497750d3db91fb6f662e3. https://www.phpmyadmin.net/security/PMASA-2023-1