CVE-2023-25727: Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin
(updated )
In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive $cfg['enable_drag_drop_import'], users will be unable to use the drag and drop upload which would protect against the vulnerability.
References
- github.com/advisories/GHSA-6hr3-44gx-g6wh
- github.com/phpmyadmin/composer
- github.com/phpmyadmin/phpmyadmin/commit/53f70fd7f3b388639922e6cc1ca51fbe890c91cc
- github.com/phpmyadmin/phpmyadmin/commit/efa2406695551667f726497750d3db91fb6f662e
- nvd.nist.gov/vuln/detail/CVE-2023-25727
- www.phpmyadmin.net/security/PMASA-2023-1
Code Behaviors & Features
Detect and mitigate CVE-2023-25727 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →