CVE-2023-25727: phpMyAdmin Releases Software Update to Fix XSS Vulnerability

CVE-2023-25727

A moderate security vulnerability has been reported in phpMyAdmin which could allow attackers to perform dangerous database operations by uploading a specially-crafted .sql file.

phpMyAdmin is a free and open-source tool designed for managing MySQL and MariaDB databases over the Internet. With more than 200,000 downloads every month, phpMyAdmin is one of the top MySQL database administration tools.

Discovered by the security researcher, Erol Guven, tracked as CVE-2023-25727, the vulnerability is a cross-site scripting (XSS) attack and affects phpMyAdmin versions prior to 4.9.11 and 5.2.1. The vulnerability has existed since the release of version 4.3.0.

According to an advisory released by phpMyAdmin, “An XSS vulnerability has been discovered where an authenticated user can trigger an XSS attack by uploading a specially-crafted .sql file through the drag-and-drop interface.”

phpMyAdmin developers fixed the CVE-2023-25727 bug found by Erol with the release of versions 5.2.1 or 4.9.11. phpMyAdmin has been classified as “moderate.” Website administrators and hosting providers are highly recommended to install the latest update or patches immediately.

“By disabling the configuration directive `$cfg[‘enable_drag_drop_import’]`, users will be unable to use the drag and drop upload which would protect against the vulnerability.”