CVE-2013-4995
Description
Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SQL query that is not properly handled during the display of row information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 are vulnerable to a stored XSS via crafted SQL queries due to unescaped HTML output.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in phpMyAdmin versions 3.5.x prior to 3.5.8.2 and 4.0.x prior to 4.0.4.2. The flaw occurs when a crafted SQL query is executed and the resulting row information is displayed without proper escaping of HTML output [1]. An authenticated user can inject arbitrary web script or HTML via a specially crafted SQL query [1].
Exploitation
Exploitation requires an attacker to be logged into phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form [1]. The attacker crafts a SQL query containing malicious script and executes it. The script is then stored and executed when the row information is displayed to other users or the attacker [1].
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML into the phpMyAdmin interface, leading to potential information disclosure, session hijacking, or other client-side attacks within the context of the phpMyAdmin application and its user's session [1].
Mitigation
The vulnerability is fixed in phpMyAdmin versions 3.5.8.2 and 4.0.4.2, released on or around 2013-07-28 [1]. Users should upgrade to these patched versions or apply the patches provided in the PMASA-2013-8 advisory [1]. No known workaround exists other than upgrading.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
24cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*
- (no CPE)range: <3.5.8.2, <4.0.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.