CVE-2021-29625 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-29625?

CVE-2021-29625 has a CVSS score of 7.5 (HIGH). This is a cross-site scripting (XSS) vulnerability in Adminer database management software that allows attackers to inject malicious scripts into web pages. It affects Adminer versions 4.6.1 to 4.8.0 when using PDO extensions with MySQL, MariaDB, PostgreSQL, or SQLite. The vulnerability is mitigated by modern browser CSP protections.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Adminer database management software that allows attackers to inject malicious scripts into web pages. It affects Adminer versions 4.6.1 to 4.8.0 when using PDO extensions with MySQL, MariaDB, PostgreSQL, or SQLite. The vulnerability is mitigated by modern browser CSP protections.

💻 Affected Systems

Products:

Adminer

Versions: 4.6.1 to 4.8.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using PDO extensions (pdo_mysql, pdo_pgsql, pdo_sqlite) instead of native extensions. Modern browsers with CSP provide protection.

📦 What is this software?

Adminer by Adminer

View all CVEs affecting Adminer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal database credentials, execute arbitrary database queries, or compromise the entire database server if Adminer has high privileges.

🟠

Likely Case

Session hijacking, credential theft, or limited database manipulation depending on user permissions.

🟢

If Mitigated

Minimal impact when using browsers with strict CSP or proper configuration workarounds.

🌐 Internet-Facing: HIGH if exposed without CSP protection, as XSS can be exploited remotely.

🏢 Internal Only: MEDIUM as internal attackers could still exploit it, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious page) and specific PDO configuration. Browser CSP makes exploitation difficult.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.1

Vendor Advisory: https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc

Restart Required: No

Instructions:

1. Download Adminer 4.8.1 or later from https://www.adminer.org. 2. Replace existing Adminer files with new version. 3. Verify functionality with test connections.

🔧 Temporary Workarounds

Enable Native PHP Extensions

linux

Use native extensions (mysqli, pgsql, sqlite3) instead of PDO extensions

sudo apt-get install php-mysqli php-pgsql php-sqlite3
sudo systemctl restart apache2/php-fpm

Disable PHP Error Display

all

Prevent XSS via error messages by disabling display_errors

Edit php.ini: display_errors = Off
Restart web server

🧯 If You Can't Patch

Use browsers with strict Content Security Policy (CSP) enabled
Restrict Adminer access to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check Adminer version in interface footer or source code. If between 4.6.1-4.8.0 and using PDO extensions, you're vulnerable.

Check Version:

grep -r "define.*VERSION" adminer_directory/ or check web interface footer

Verify Fix Applied:

Confirm version shows 4.8.1 or higher in Adminer interface. Test with PDO connections to ensure no XSS occurs.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from Adminer interface
Multiple failed login attempts with script-like patterns

Network Indicators:

Unexpected JavaScript payloads in Adminer HTTP requests

SIEM Query:

source="web_logs" url="*adminer*" (method="POST" OR method="GET") (content="<script>" OR content="javascript:")

📊 Metadata

CVE ID: CVE-2021-29625

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: May 19, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7 Patch,Third Party Advisory
https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc Patch,Third Party Advisory
https://sourceforge.net/p/adminer/bugs-and-features/797/ Exploit,Product,Third Party Advisory
https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7 Patch,Third Party Advisory
https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc Patch,Third Party Advisory
https://sourceforge.net/p/adminer/bugs-and-features/797/ Exploit,Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29625, you might also want to check these: