VYPR
← All advisories
Low severityNVD Advisory· Published Jul 31, 2013· Updated Apr 29, 2026

CVE-2013-5002

CVE-2013-5002

Description

Cross-site scripting (XSS) vulnerability in libraries/schema/Export_Relation_Schema.class.php in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value to schema_export.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 are vulnerable to a self-XSS via crafted pageNumber parameter in schema_export.php.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Export_Relation_Schema.class.php file within the libraries/schema/ directory of phpMyAdmin [1]. The flaw allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value passed to schema_export.php. Affected versions are phpMyAdmin 3.5.x prior to 3.5.8.2 and 4.0.x prior to 4.0.4.2 [3].

Exploitation

An attacker must be authenticated to phpMyAdmin, as the usual token protection prevents unauthenticated access to the required form [3]. The attacker crafts a malicious pageNumber parameter containing JavaScript or HTML and sends it to schema_export.php. The unsanitized input is then reflected in the schema export output, executing the injected code in the context of the victim's browser session.

Impact

Successful exploitation results in self-XSS, meaning the attacker can only target their own session unless they trick another authenticated user into clicking a crafted link. The impact is limited to the attacker's own browser, but could be used to steal session cookies or perform actions on behalf of the victim if combined with social engineering. The vulnerability is considered non-critical by the phpMyAdmin team [3].

Mitigation

Upgrade to phpMyAdmin 3.5.8.2 or 4.0.4.2 or newer, or apply the provided patches [3]. The fix commits are 1293e9b6e9eb7a831c5738f346ea44dee6d1bf0f (master) and dede065d7ad59fb7c31ae384961564b7f7a7c005 (3.5 branch) [3]. No workaround is documented; upgrading is the recommended solution.

References
  1. NVD - CVE-2013-5002
  2. PMASA-2013-14

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyadmin/phpmyadminPackagist
>= 3.5, < 3.5.8.23.5.8.2
phpmyadmin/phpmyadminPackagist
>= 4.0, < 4.0.4.24.0.4.2

Affected products

25
  • PhpMyAdmin/phpMyAdmin23 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*+ 22 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*
    • (no CPE)range: 3.5.x < 3.5.8.2, 4.0.x < 4.0.4.2
  • ghsa-coords2 versions
    pkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
    >= 3.5, < 3.5.8.2+ 1 more
    • (no CPE)range: >= 3.5, < 3.5.8.2
    • (no CPE)range: < 4.6.5.2-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.