CVE-2020-35572: 
PHP vulnerability analysis and mitigation

Adminer through version 4.7.8 contains a Cross-Site Scripting (XSS) vulnerability that was discovered in December 2020. The vulnerability (CVE-2020-35572) allows attackers to execute XSS attacks via the history parameter to the default URI. This security issue affects all versions of Adminer up to and including 4.7.8 (NVD, CVE).

The vulnerability is classified as a Reflected XSS issue with a CVSS v3.1 Base Score of 6.1 (Medium). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), requires user interaction (UI:R), and has a changed scope (S:C) with low confidentiality (C:L) and integrity (I:L) impacts, but no availability impact (A:N). The vulnerability can be triggered by manipulating the 'history' parameter in the URL, particularly noticeable when using browsers like Edge that don't sanitize input in the address bar (SourceForge Bug).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD).

The vulnerability was fixed in Adminer version 4.7.9. Users are advised to upgrade to this version or later to mitigate the risk. The fix prevents XSS attacks in browsers that don't encode URL parameters (SourceForge News).