CVE-2014-9219

phpMyAdmin 4.2.x < 4.2.13.1 - Cross-Site Scripting via URL Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9219. PoCs published by MohmadHafiz.

AI-analyzed exploit summary This PoC demonstrates a cross-site scripting (XSS) vulnerability in phpMyAdmin 4.2.x before 4.2.13.1 due to improper sanitization of the URL parameter in url.php. The exploit leverages inadequate escaping in JavaScript string context to execute arbitrary JavaScript code.

Description

Cross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter.

Exploits (1)

nomisec WORKING POC
by MohmadHafiz · poc
https://github.com/MohmadHafiz/CVE-2014-9219

This PoC demonstrates a cross-site scripting (XSS) vulnerability in phpMyAdmin 4.2.x before 4.2.13.1 due to improper sanitization of the URL parameter in url.php. The exploit leverages inadequate escaping in JavaScript string context to execute arbitrary JavaScript code.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: phpMyAdmin 4.2.0 - 4.2.13
No auth needed
Prerequisites: Victim must follow a crafted link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

EPSS 0.0123
EPSS Percentile 65.3%

Details

CWE
CWE-79
Status published
Products (18)
phpmyadmin/phpmyadmin 4.2.0
phpmyadmin/phpmyadmin 4.2.1
phpmyadmin/phpmyadmin 4.2.2
phpmyadmin/phpmyadmin 4.2.3
phpmyadmin/phpmyadmin 4.2.4
phpmyadmin/phpmyadmin 4.2.5
phpmyadmin/phpmyadmin 4.2.6
phpmyadmin/phpmyadmin 4.2.7
phpmyadmin/phpmyadmin 4.2.7.1
phpmyadmin/phpmyadmin 4.2.8
... and 8 more
Published Dec 08, 2014
Tracked Since Feb 18, 2026