CVE-2019-25454 in phpMoAdmin
Summary
by MITRE • 02/21/2026
phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter during collection creation to execute arbitrary JavaScript in users' browsers.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2019-25454 affects phpMoAdmin version 1.1.5, a web-based administration tool for mongodb databases. This stored cross-site scripting vulnerability represents a critical security flaw that allows attackers to inject malicious scripts into the application's database operations. The vulnerability specifically manifests when users interact with the collection parameter during the creation of database collections, creating a persistent XSS vector that can affect all users who subsequently access the affected application interface.
The technical implementation of this vulnerability stems from insufficient input validation and output sanitization within the phpMoAdmin application's parameter handling mechanisms. When an attacker crafts a malicious GET request to the moadmin.php endpoint and injects script payloads through the collection parameter, the application fails to properly sanitize or escape the user-supplied input before storing it in the database. This stored data is then retrieved and displayed in subsequent user sessions without adequate protection, creating an environment where malicious JavaScript code can execute within the browser context of authenticated users. The vulnerability operates under CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output encoding.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with persistent access to user sessions and potentially sensitive database information. An unauthenticated attacker can leverage this vulnerability to execute arbitrary JavaScript code in users' browsers, which could enable session hijacking, data exfiltration, or further exploitation of the underlying database system. The stored nature of the vulnerability means that once an attacker successfully injects malicious code, it remains active for all future users who interact with the affected collections, creating a persistent threat vector that can be exploited repeatedly over time. This vulnerability aligns with ATT&CK technique T1566 which covers social engineering through malicious content delivery.
Mitigation strategies for CVE-2019-25454 should focus on implementing proper input validation and output encoding mechanisms throughout the application. The primary fix involves sanitizing all user-supplied input, particularly the collection parameter, before storing it in the database and ensuring that all output is properly escaped when rendered in the browser context. Organizations should also implement proper access controls and authentication mechanisms to limit the exposure of vulnerable endpoints. Additionally, regular security updates and patch management should be enforced to prevent exploitation of known vulnerabilities. The application should be configured to use Content Security Policy headers and implement proper input validation routines to prevent XSS attacks. System administrators should also consider network-level protections such as web application firewalls to detect and block malicious requests targeting this specific vulnerability pattern.