The phpMyAdmin development team reports:
- With a crafted table name it is possible to trigger
an XSS attack in the database search page.
- With a crafted SET value or a crafted search query, it
is possible to trigger an XSS attacks in the zoom search
page.
- With a crafted hostname header, it is possible to
trigger an XSS attacks in the home page.
We consider these vulnerabilities to be non-critical.
These vulnerabilities can be triggered only by someone
who is logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the
required pages.