CVE-2013-4997

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value.

How to fix CVE-2013-4997

To remediate CVE-2013-4997, upgrade the affected package to a fixed version below.

• Debian/phpmyadmin—upgrade to 4:4.0.4.2-1 or later
• Packagist/phpmyadmin/phpmyadmin—upgrade to 3.5.8.2 or later

Is CVE-2013-4997 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4:4.0.4.2-1
• >= 3.5, < 3.5.8.2

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4997
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4997
• PATCHgithub.com/phpmyadmin/composer
• WEBwww.phpmyadmin.net/home_page/security/PMASA-2013-9.php