CVE-2013-5003
Description
Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote authenticated users to execute arbitrary SQL commands via (1) the scale parameter to pmd_pdf.php or (2) the pdf_page_number parameter to schema_export.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerabilities in phpMyAdmin allow authenticated users to execute arbitrary SQL commands via unsanitized parameters in schema_export.php and pmd_pdf.php.
Vulnerability
Multiple SQL injection vulnerabilities exist in phpMyAdmin versions 3.5.x prior to 3.5.8.2 and 4.0.x prior to 4.0.4.2. The flaws reside in the pmd_pdf.php and schema_export.php scripts, where the scale and pdf_page_number parameters, respectively, are not properly validated before being used in SQL queries. This allows an authenticated user to inject arbitrary SQL statements. The vulnerability is triggered only when a control user has been configured as part of the phpMyAdmin configuration storage installation [2].
Exploitation
An attacker must be logged into phpMyAdmin to exploit these vulnerabilities, as the standard token protection prevents unauthenticated access to the required forms. Additionally, a control user must have been created and configured in the phpMyAdmin configuration storage. The attacker can then craft a malicious request to pmd_pdf.php or schema_export.php with a specially crafted scale or pdf_page_number parameter containing SQL injection payloads [2].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands with the privileges of the control user. This grants read and write access to the tables of the configuration storage database. If the control user has sufficient privileges, the attacker may also gain read access to some tables of the mysql database, leading to privilege escalation beyond the attacker's original permissions [2].
Mitigation
The vulnerabilities are fixed in phpMyAdmin versions 3.5.8.2 and 4.0.4.2, released on 2013-07-28. Users should upgrade to these versions or apply the provided patches. No workarounds are documented. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
24cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*
- (no CPE)range: <3.5.8.2, <4.0.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.