Security Advisory – Cross-Site Scripting Vulnerability in phpMyBackupPro

Notice ID: INCIBE-CERT-2025-AV-071

Date: June 25, 2025

Severity: Medium

Description

A cross-site scripting (XSS) vulnerability has been identified in the web interface of phpMyBackupPro. The vulnerability may allow an attacker to inject malicious scripts into user-facing pages, which could be executed in the context of another user’s browser session.

Affected Versions

• phpMyBackupPro versions prior to 2.5
• Installations where user input is reflected without sanitization

Impact

This vulnerability could be exploited to:

• Steal session cookies
• Perform actions on behalf of authenticated users
• Inject unauthorized content into backup interface pages

Technical Details

The vulnerability exists due to improper sanitization of GET parameters in interface scripts such as index.php and config.php. An attacker can craft a specially constructed URL that includes executable script tags.

Solution

• Update to phpMyBackupPro version 2.5 or later
• Apply server-side input sanitization using htmlspecialchars() or equivalent methods
• Disable public access to configuration panels where not needed

Mitigation

Until an update is applied:

• Limit access via .htaccess or firewall rules
• Audit user input points in scripts
• Enable HTTP-only flags on session cookies

Reporting

This vulnerability was responsibly disclosed and coordinated through standard reporting channels. No active exploitation has been confirmed at the time of publication.