CVE-2013-1937

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in tbl_gis_visualization.php in phpMyAdmin versions 3.5.0 through 3.5.7 [3][4]. The parameters visualizationSettings[width] and visualizationSettings[height] are echoed directly into the HTML style attribute without sanitization, allowing an attacker to inject arbitrary HTML or JavaScript [3]. The vulnerable code path is only reachable when the user has a valid session, knows the token parameter, and provides a valid database name [3][4].

Exploitation

To exploit this vulnerability, an attacker must trick a logged-in phpMyAdmin user into visiting a crafted URL that includes valid db and token parameters (the token is tied to the user's session) [3][4]. The injected payload is reflected in the page's HTML, executing in the context of the victim's session. Practical exploitation is difficult because the attacker needs the victim's session token and a valid database name; the blog post [1] notes that this effectively makes it a self-XSS or requires prior access.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the phpMyAdmin session context. This could lead to session hijacking, manipulation of database queries, or theft of sensitive data displayed on the page. However, the official advisory [4] and the blog [1] consider this non-critical because the attacker already needs a valid session token and database name, limiting the attack to self-XSS or scenarios where the attacker has some prior access.

Mitigation

The vulnerability is fixed in phpMyAdmin version 3.5.8, released on 2013-04-08 [2][4]. Users should upgrade to 3.5.8 or later. Patches are available via commits 79089c9bc02c82c15419fd9d6496b8781ae08a5a and 7e9ac67cbb58b40fbe0c18401b8e7d033c9dfe28 [4]. No workaround is provided other than upgrading. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.