CVE-2013-4997

Name of the Vulnerable Software and Affected Versions phpMyAdmin versions 3.5.x through 3.5.8.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to "setup/index.php" or (2) a chartTitle (aka chart title) value. This enables attackers to perform cross-site scripting (XSS) attacks.

Recommendations For phpMyAdmin versions 3.5.x through 3.5.8.1, update to version 3.5.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "setup/index.php" endpoint and avoiding the use of the chartTitle value until a patch is applied.