XSS vulnerability on Tracking page.
It was possible to create a crafted table name that leads to XSS.
We consider this vulnerability to be serious.
This vulnerability works in the context of a shared phpMyAdmin installation. The attacker needs to convince a victim to go to the Tracking page that relates to the crafted table.
The 3.3.x and 3.4.0 versions are affected.
Older releases than 3.3.0 are not affected.
Upgrade to phpMyAdmin 188.8.131.52 or 3.4.1 or apply the related patch listed below.
This issue was found by a person who wishes to be known as "dave b".
Assigned CVE ids: CVE-2011-1940
The following commits have been made to fix this issue:
The following commits have been made on the 3.3.10 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.