VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 31, 2013· Updated Apr 29, 2026

CVE-2013-4996

CVE-2013-4996

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted database name, (2) a crafted user name, (3) a crafted logo URL in the navigation panel, (4) a crafted entry in a certain proxy list, or (5) crafted content in a version.json file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 contain multiple XSS vulnerabilities via crafted database names, user names, logo URLs, proxy lists, or version.json files.

Vulnerability

phpMyAdmin versions 3.5.x prior to 3.5.8.2 and 4.0.x prior to 4.0.4.2 are vulnerable to multiple cross-site scripting (XSS) flaws. These arise from insufficient escaping of user-supplied or externally fetched data in several components: setup/index.php via a crafted hash with a JavaScript event; the chart display view via an unescaped chart title; the server status monitor via unescaped query parameters when a malicious user with database or user creation privileges issues a sleep query with a long delay; the navigation sidebar via a malicious logo URL; the proxy list field in setup via unescaped input in Ajax error responses; and the version check feature via a crafted version.json file from phpmyadmin.net [2][3].

Exploitation

For the stored XSS vectors (database name, user name, logo URL, proxy list), an attacker must be logged into phpMyAdmin because the token-based protection blocks unauthenticated requests to the required forms [2]. The setup XSS vectors require the victim to enter a crafted value. The version.json XSS can be exploited only through a combination of complicated techniques that trick the user into visiting a crafted page [3]. An attacker with permission to create databases or users can include HTML tags in their name; when a victim views the server status monitor with a long-running sleep query, the malicious script executes [2].

Impact

Successful exploitation allows a remote attacker to inject arbitrary web script or HTML in the context of the phpMyAdmin application [2][3]. This can lead to session hijacking, credential theft, or other client-side attacks against an authenticated phpMyAdmin user. The severity is considered non-critical for most vectors, but the version.json XSS is considered serious [2][3].

Mitigation

Upgrade to phpMyAdmin 3.5.8.2 or 4.0.4.2 (released 2013-07-30) [2][3]. Patches are available as commits in the phpMyAdmin repository; apply them if upgrading is not immediately possible [3]. No workarounds are documented; the vendor recommends upgrading to the fixed versions.

References
  1. PMASA-2013-9
  2. PMASA-2013-11

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

24
  • PhpMyAdmin/phpMyAdmin23 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*+ 22 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*
    • (no CPE)range: 3.5.x < 3.5.8.2, 4.0.x < 4.0.4.2
  • osv-coords
    pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
    Range: < 4.6.5.2-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.