Comment 5 for bug 2016018

I installed mysql-server, phpmyadmin and libapache2-mod-php.
Then, I browsed to the phpmyadmin login panel at localhost/phpmyadmin and logged in with user phpadmin and the password set during the phpmyadmin installation.
I selected the phpmyadmin database, created the '"><img src=x onerror=alert(11)>.sql'file locally and drag/dropped it into the phpmyadmin page.

A menu popped up in the lower right corner saying the upload failed. When I click in the "Failed" link, the alert JS command is executed and and alert window shows up in the browser, confirming the XSS bug.

At this point, the phpmyadmin version installed is 4:5.1.1+dfsg1-5ubuntu1.

I then upgrade phpmyadmin to the version in -proposed, 4:5.1.1+dfsg1-5ubuntu1.1.

I drag and drop that same file again, and the failed message pops up once again. Once again, when clicking the Failed link, the alert shows up.

I am using Mozilla Firefox 116.0.3 in Ubuntu Mantic.

It seems the patch is not fixing the CVE here.

William, am I missing something here?