CVE-2013-3239 — phpmyadmin - security update

Description

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.

How to fix CVE-2013-3239

To remediate CVE-2013-3239, upgrade the affected package to a fixed version below.

—upgrade to 4:3.4.11.1-2 or later
—upgrade to 4:3.3.7-8 or later
—upgrade to 3.5.8.1 or later

Is CVE-2013-3239 being exploited?

Moderate — EPSS is 12.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 4:3.4.11.1-2
from 0, < 4:3.3.7-8
>= 3.5.0, < 3.5.8.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-3239
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-3239
PATCHgithub.com/phpmyadmin/phpmyadmin
WEBlists.fedoraproject.org/pipermail/package-announce/2013-May/104725.html