CVE-2021-29625 Overview
CVE-2021-29625 is a Cross-Site Scripting (XSS) vulnerability affecting Adminer, the popular open-source database management software. This vulnerability impacts Adminer versions 4.6.1 through 4.8.0 and affects users managing MySQL, MariaDB, PgSQL, and SQLite databases. The vulnerability allows attackers to inject malicious scripts through improperly escaped URLs in the documentation link function.
While strict Content Security Policy (CSP) in modern browsers mitigates this vulnerability in most cases, systems using the pdo_ extension for database communication (when native extensions are not enabled) remain vulnerable. Browsers without CSP support are fully exposed to this attack vector.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated Adminer sessions, potentially leading to credential theft, session hijacking, or unauthorized database operations.
Affected Products
- Adminer versions 4.6.1 to 4.8.0
- Systems using pdo_ extensions (PDO MySQL, PDO PostgreSQL, PDO SQLite)
- Browsers without strict CSP support (Internet Explorer and legacy browsers)
Discovery Timeline
- 2021-05-19 - CVE CVE-2021-29625 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29625
Vulnerability Analysis
This XSS vulnerability exists in the doc_link function within Adminer's editing interface. The function generates documentation links for database-specific SQL syntax help but fails to properly sanitize URL components before inserting them into HTML anchor elements. When the vulnerable code path is executed, user-controllable input can be injected into the href attribute without proper encoding, enabling reflected XSS attacks.
The vulnerability is particularly concerning because Adminer operates with elevated database privileges. An attacker successfully exploiting this flaw could execute JavaScript within an authenticated administrator's browser session, potentially exfiltrating database credentials, executing arbitrary SQL commands, or establishing persistent backdoor access.
Root Cause
The root cause is improper output encoding in the doc_link() function located in adminer/include/editing.inc.php. The function constructs HTML anchor tags by directly concatenating URL paths without applying the h() HTML escaping function to sanitize potentially malicious input. This allows specially crafted URL components to break out of the href attribute context and inject arbitrary HTML or JavaScript.
Attack Vector
The attack exploits the network-accessible Adminer interface and requires user interaction (clicking a malicious link or visiting a crafted page). An attacker can construct a URL containing JavaScript payload that, when processed by the vulnerable doc_link function, executes in the victim's browser context. The attack is particularly effective against:
- Administrators using Internet Explorer or browsers without CSP
- Environments using PDO extensions instead of native database drivers (e.g., mysqli)
- Systems with PHP error display enabled (display_errors)
// Vulnerable code (before patch)
return ($paths[$jush] ? "<a href='$urls[$jush]$paths[$jush]'" . target_blank() . ">$text</a>" : "");
// Patched code (version 4.8.1)
return ($paths[$jush] ? "<a href='" . h($urls[$jush] . $paths[$jush]) . "'" . target_blank() . ">$text</a>" : "");
Source: GitHub Commit Update
Detection Methods for CVE-2021-29625
Indicators of Compromise
- Unusual JavaScript execution patterns in Adminer interface pages
- Unexpected HTTP requests originating from Adminer sessions to external domains
- Modified or suspicious URL parameters in Adminer access logs containing encoded script tags
- Session tokens or credentials being transmitted to unauthorized endpoints
Detection Strategies
- Monitor web application logs for Adminer requests containing suspicious URL-encoded payloads such as %3Cscript%3E or javascript: schemes
- Implement Content Security Policy violation reporting to detect XSS bypass attempts
- Review Adminer version strings in HTTP responses to identify vulnerable installations
- Deploy web application firewall (WAF) rules to detect XSS payloads targeting Adminer endpoints
Monitoring Recommendations
- Enable CSP violation reporting headers to capture blocked XSS attempts
- Configure SIEM rules to alert on anomalous Adminer access patterns or parameter injection attempts
- Audit Adminer installations across the environment to inventory version deployments
- Monitor for outbound connections from web servers hosting Adminer to unexpected destinations
How to Mitigate CVE-2021-29625
Immediate Actions Required
- Upgrade Adminer to version 4.8.1 or later immediately
- Enable native PHP database extensions (mysqli, pgsql, sqlite3) instead of PDO extensions
- Disable PHP error display in production by setting display_errors = Off in php.ini
- Ensure modern browsers with strict CSP support are used for Adminer access
Patch Information
The vulnerability is patched in Adminer version 4.8.1. The fix applies proper HTML escaping using the h() function to sanitize URL components before insertion into anchor tag attributes. The patch commit 4043092ec2c0de2258d60a99d0c5958637d051a7 addresses bug report #797. Upgrade details and patched releases are available via the GitHub Security Advisory GHSA-2v82-5746-vwqc.
Workarounds
- Use browsers with strict CSP support (Chrome, Firefox, Edge) until patching is complete
- Enable native PHP database extensions to avoid the vulnerable PDO code path
- Disable display_errors in PHP configuration to reduce attack surface
- Implement network-level access controls to restrict Adminer access to trusted IP ranges
- Consider deploying a reverse proxy with XSS filtering capabilities in front of Adminer
# Configuration example
# Disable PHP error display in php.ini
display_errors = Off
log_errors = On
error_log = /var/log/php/error.log
# Enable native MySQL extension instead of PDO
extension=mysqli
# Restrict Adminer access via Apache configuration
<Directory /var/www/adminer>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
