CVE-2023-25727 — phpmyadmin - security update

Description

In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.

How to fix CVE-2023-25727

To remediate CVE-2023-25727, upgrade the affected package to a fixed version below.

Bitnami/phpmyadmin—upgrade to 4.9.11 or later
Debian/phpmyadmin—upgrade to 4:5.0.4+dfsg2-2+deb11u2 or later
—upgrade to 4:5.0.4+dfsg2-2+deb11u2 or later
—upgrade to 4.9.11 or later

Is CVE-2023-25727 being exploited?

Moderate — EPSS is 9.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (4)

from 0, < 4.9.11, >= 5.0.0, < 5.2.1
from 0, < 4:5.0.4+dfsg2-2+deb11u2
from 0, < 4:5.0.4+dfsg2-2+deb11u2
>= 4.3.0, < 4.9.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-25727
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-25727
PATCHgithub.com/phpmyadmin/composer
WEBgithub.com/phpmyadmin/phpmyadmin/commit/53f70fd7f3b388639922e6cc1ca51fbe890c91cc