Multiple XSS vulnerabilities in extension phpMyAdmin (phpmyadmin)

It has been discovered that the extension phpMyAdmin (phpmyadmin) is vulnerable to Cross-Site Scripting.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 4.11.3 and below

Vulnerability Type: Multiple Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C (What's that?)

References: PMASA-2011-13

Release Date: 26.08.2011


Problem Description: Because user input is not properly sanitized, phpmyadmin is susceptible to Cross-Site Scripting. An attacker must have permissions to change table, column or index names to exploit this problem.


Solution: An updated version 4.11.4 is available from the TYPO3 extension manager and Users of the extension are advised to update the extension as soon as possible.

The TYPO3 Security Team requests TYPO3 administrators to consider our advice from TYPO3-SA-2009-015 to either use extension phpMyAdmin only on development servers or to use the phpMyAdmin standalone application on production servers.

Credits: Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.


General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to thetypo3-announce mailing list to receive future Security Bulletins via E-mail.