Search for vulnerabilities
Vulnerability details: VCID-57hj-3vk6-a3dk
Vulnerability ID VCID-57hj-3vk6-a3dk
Aliases CVE-2013-3239
GHSA-gg36-9346-9qx9
Summary phpMyAdmin Remote Code Execution phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 8.5 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.html
cvssv3.1 8.5 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.html
cvssv3.1 8.5 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.html
cvssv3.1 8.5 http://lists.opensuse.org/opensuse-updates/2013-06/msg00181.html
generic_textual HIGH http://lists.opensuse.org/opensuse-updates/2013-06/msg00181.html
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
epss 0.12333 https://api.first.org/data/v1/epss?cve=CVE-2013-3239
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-gg36-9346-9qx9
cvssv3.1 8.5 https://github.com/phpmyadmin/phpmyadmin
generic_textual HIGH https://github.com/phpmyadmin/phpmyadmin
cvssv3.1 8.5 https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
generic_textual HIGH https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
cvssv3.1 8.5 https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a
generic_textual HIGH https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a
cvssv3.1 8.5 https://nvd.nist.gov/vuln/detail/CVE-2013-3239
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2013-3239
cvssv3.1 8.5 http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
generic_textual HIGH http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
Reference id Reference type URL
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.html
http://lists.opensuse.org/opensuse-updates/2013-06/msg00181.html
https://api.first.org/data/v1/epss?cve=CVE-2013-3239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239
https://github.com/phpmyadmin/phpmyadmin
https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a
https://nvd.nist.gov/vuln/detail/CVE-2013-3239
http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
GHSA-gg36-9346-9qx9 https://github.com/advisories/GHSA-gg36-9346-9qx9
Data source Exploit-DB
Date added April 25, 2013
Description phpMyAdmin 3.5.8/4.0.0-RC2 - Multiple Vulnerabilities
Ransomware campaign use Known
Source publication date April 25, 2013
Exploit type webapps
Platform php
Source update date May 1, 2013
Source URL http://www.waraxe.us/advisory-103.html
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at http://lists.opensuse.org/opensuse-updates/2013-06/msg00181.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/phpmyadmin/phpmyadmin
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2013-3239
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.93595
EPSS Score 0.12333
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:10:24.986118+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gg36-9346-9qx9/GHSA-gg36-9346-9qx9.json 37.0.0