• Reported: 05.07.2011
• Published: 23.07.2011
• Updated: 23.07.2011
• Affected versions: <= 3.4.3.1
• Risk: moderate
• Solution: Update to 3.4.3.2 or newer
• CVE-ID: CVE-2011-2642

Description

Also have a look at phpMyAdmin Direct Remote Code Execution

The table print view in phpMyAdmin is susceptible to XSS.
The tablename is not properly sanitized. This allows an attacker to execute arbitary javascript code
within site context.

The attacker needs access to the victims database and the CREATE or ALTER TABLE right.
Additionally, the attacker must trick the victim into opening the following links
Need help securing your (web) applications? Write an e-mail to wildcat at the-wildcat dot de or contact me on XING

tbl_printview.php?db=database_to_attack&table=[table name as payload].

No url token required.