CVE-2013-3239
HIGH8.5EPSS 12.3%phpmyadmin - security update
Published: 5/17/2022Modified: 5/7/2026
Description
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
Affected packages (3)
- Debian/phpmyadminfrom 0, < 4:3.4.11.1-2
- Debian/phpmyadminfrom 0, < 4:3.3.7-8
- Packagist/phpmyadmin/phpmyadmin>= 3.5.0, < 3.5.8.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-3239
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2013-3239
- PATCHhttps://github.com/phpmyadmin/phpmyadmin
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.html
- WEBhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00181.html
- WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
- WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a
- WEBhttp://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php