CVE-2013-1937
published 2013-04-16CVE-2013-1937: Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject…
PriorityP333medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
4.71%
90.7th percentile
Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | <= 3.5.8 | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_debian6.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2013-1937: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php...
vendor_debian·2013·CVSS 6.1
CVE-2013-1937 [MEDIUM] CVE-2013-1937: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php...
Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-8m58-pwg7-52c3: ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization
ghsa_unreviewed·2022-05-14
CVE-2013-1937 [MEDIUM] CWE-79 GHSA-8m58-pwg7-52c3: ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable."
No detection rules found.
Bugzilla
CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) [epel-6]
bugzilla·2013-04-09·CVSS 6.1
CVE-2013-1937 [MEDIUM] CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) [epel-6]
CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug
Bugzilla
CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) [fedora-all]
bugzilla·2013-04-09·CVSS 6.1
CVE-2013-1937 [MEDIUM] CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) [fedora-all]
CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this is
Bugzilla
CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) (PMASA-2013-1)
bugzilla·2013-04-09·CVSS 6.1
CVE-2013-1937 [MEDIUM] CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) (PMASA-2013-1)
CVE-2013-1937 phpMyAdmin: XSS flaw when displaying GIS Visualization(s) (PMASA-2013-1)
A cross-site scripting (XSS) flaw was found in the way phpMyAdmin, a tool to handle the administration of MySQL over the World Wide Web, sanitized certain input when displaying GIS visualization(s). A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution in the context of the phpMyAdmin user's session.
References:
[1] http://seclists.org/fulldisclosure/2013/Apr/100
Relevant upstream patch:
[2] https://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5a
Discussion:
This issue affects the versions of the phpMyAdmin package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an
http://archives.neohapsis.com/archives/fulldisclosure/2013-04/0101.htmlhttp://immunityservices.blogspot.com/2019/02/cvss.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/103184.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/103188.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/103195.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00181.htmlhttp://openwall.com/lists/oss-security/2013/04/09/13http://packetstormsecurity.com/files/121205/phpMyAdmin-3.5.7-Cross-Site-Scripting.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:144http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.phphttp://www.waraxe.us/advisory-102.htmlhttps://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5ahttp://archives.neohapsis.com/archives/fulldisclosure/2013-04/0101.htmlhttp://immunityservices.blogspot.com/2019/02/cvss.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/103184.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/103188.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/103195.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00181.htmlhttp://openwall.com/lists/oss-security/2013/04/09/13http://packetstormsecurity.com/files/121205/phpMyAdmin-3.5.7-Cross-Site-Scripting.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:144http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.phphttp://www.waraxe.us/advisory-102.htmlhttps://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5a
2013-04-16
Published