CVE-2013-4997
Description
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow arbitrary script injection via anchor identifiers or chart titles.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in phpMyAdmin versions 3.5.x prior to 3.5.8.2 and 4.0.x prior to 4.0.4.2 [2]. The vulnerabilities involve insufficient sanitization of user-supplied input. Specifically, arbitrary JavaScript can be injected via a crafted anchor identifier (e.g., #) in the URL when accessing setup/index.php, or via the chartTitle parameter in chart display views [1][2].
Exploitation
An attacker can exploit these vulnerabilities without authentication if they can induce a user to click a crafted link. For the setup/index.php vector, a crafted URL with a JavaScript event in the anchor identifier triggers XSS when the page loads. For the chart title, a malicious chartTitle value containing HTML event attributes leads to script execution when the chart is rendered [2]. No special network position is required beyond the ability to deliver the crafted link to the victim.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's phpMyAdmin session. This can lead to session hijacking, defacement, or redirection to malicious sites. The attack is reflected and requires user interaction (clicking a link). However, the setup interface may be used by administrators, increasing the impact.
Mitigation
The vulnerabilities are fixed in phpMyAdmin versions 3.5.8.2 and 4.0.4.2 [2]. Users should upgrade immediately. There is no known KEV listing. If immediate upgrade is not possible, administrators should restrict access to the setup interface and avoid clicking untrusted links. No workarounds are provided in the references.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 3.5, < 3.5.8.2 | 3.5.8.2 |
Affected products
17cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:rc1:*:*:*:*:*:*
- (no CPE)range: >=3.5.0,<3.5.8.2
- ghsa-coords2 versions
>= 3.5, < 3.5.8.2+ 1 more
- (no CPE)range: >= 3.5, < 3.5.8.2
- (no CPE)range: < 4.6.5.2-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.phpmyadmin.net/home_page/security/PMASA-2013-9.phpnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-5gh4-v2ch-pcx4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4997ghsaADVISORY
News mentions
0No linked articles in our index yet.