The phpMyAdmin developer team is putting lot of effort to make phpMyAdmin as
secure as possible. But still web application like phpMyAdmin can be vulnerable
to a number of attacks and new ways to exploit are still being explored.
For every reported vulnerability we issue a phpMyAdmin Security Announcement
(PMASA) and it get's assigned a CVE ID as well. We might group similar
vulnerabilities to one PMASA (eg. multiple XSS vulnerabilities can be announced
If you think you've found a vulnerability, please see :ref:`reporting-security`.
In this section, we will describe typical vulnerabilities, which can appear in
our code base. This list is by no means complete, it is intended to show
Cross-site scripting (XSS)
++++++++++++++++++++++++++
When phpMyAdmin shows a piece of user data, e.g. something inside a user's
database, all html special chars have to be escaped. When this escaping is
missing somewhere a malicious user might fill a database with specially crafted
content to trick an other user of that database into executing something. This
could for example be a piece of JavaScript code that would do any number of
phpMyAdmin tries to escape all userdata before it is rendered into html for the
`Cross-site scripting on Wikipedia <https://en.wikipedia.org/wiki/Cross-site_scripting>`_
Cross-site request forgery (CSRF)
+++++++++++++++++++++++++++++++++
An attacker would trick a phpMyAdmin user into clicking on a link to provoke
some action in phpMyAdmin. This link could either be sent via email or some