A server-side request forgery vulnerability was reported with the setup script. This flaw can allow an unauthenticated attacker to:
1.brute-force passwords of MYSQL servers that allow remote logins.
2.brute-force passwords of MYSQL servers behind the firewall where HTTP server that run PMA is placed.
3.detect internal hostnames.
4.detect opened ports on internal network
Additionally there was a race condition between writing configuration and administrator moving it allowing unauthenticated users to read or alter it.