CVE-2013-5001
Description
Cross-site scripting (XSS) vulnerability in libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted object name associated with a TextLinkTransformationPlugin link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in phpMyAdmin 4.0.x before 4.0.4.2 via crafted object name in TextLinkTransformationPlugin.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in phpMyAdmin versions 4.0.x prior to 4.0.4.2. The flaw resides in libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php. When the TextLinkTransformationPlugin is used to create a link to an object while displaying table contents, the object name is not properly escaped. An authenticated user can craft a malicious object name that, when rendered, executes arbitrary web script or HTML in the context of the phpMyAdmin session [1].
Exploitation
An attacker must be an authenticated phpMyAdmin user with the ability to create or modify objects (e.g., table names or other database objects) that are displayed using the TextLinkTransformationPlugin. The attacker supplies a crafted object name containing malicious JavaScript or HTML. When any user (including the attacker) views the table contents with the transformation enabled, the injected script executes in the victim's browser. No additional user interaction beyond viewing the affected page is required [1].
Impact
Successful exploitation allows the attacker to inject arbitrary web script or HTML into the phpMyAdmin interface. This can lead to session hijacking, defacement, theft of sensitive data, or further attacks against the phpMyAdmin instance. The vulnerability is classified as stored XSS, meaning the payload persists and affects all users who view the compromised data [1].
Mitigation
The issue is fixed in phpMyAdmin version 4.0.4.2. Users should upgrade to this version or later. Patches are also available via the commit e0c8704f725c56c87b644676ded94dba695de39f. No workarounds are documented; upgrading is the recommended action [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*
- (no CPE)range: >=4.0.0, <4.0.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.phpmyadmin.net/home_page/security/PMASA-2013-13.phpnvdVendor Advisory
News mentions
0No linked articles in our index yet.