Several vulnerabilities have been discovered in phpMyAdmin, a tool to
administer MySQL over the web. The Common Vulnerabilities and Exposures
project identifies the following problems:
- CVE-2013-3239
Authenticated users could execute arbitrary code, when a SaveDir
directory is configured and Apache HTTP Server has the mod_mime
module enabled, by employing double filename extensions.
- CVE-2013-4995
Authenticatd users could inject arbitrary web script or HTML
via a crafted SQL query.
- CVE-2013-4996
Cross site scripting was possible via a crafted logo URL in
the navigation panel or a crafted entry in the Trusted Proxy list.
- CVE-2013-5003
Authenticated users could execute arbitrary SQL commands as
the phpMyAdmin control user via the scale parameter of PMD PDF
export.
For Debian 6 Squeeze, these issues have been fixed in phpmyadmin version 4:3.3.7-8