CVE-2013-3239
phpMyAdmin <3.5.8 and <4.0.0-rc3 - Authenticated RCE
Title source: llmDescription
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
Exploits (1)
Scores
EPSS
0.1233
EPSS Percentile
93.9%
Details
CWE
CWE-94
Status
published
Products (13)
phpmyadmin/phpmyadmin
3.5.0.0
phpmyadmin/phpmyadmin
3.5.1.0
phpmyadmin/phpmyadmin
3.5.2.0
phpmyadmin/phpmyadmin
3.5.2.1
phpmyadmin/phpmyadmin
3.5.2.2
phpmyadmin/phpmyadmin
3.5.3.0
phpmyadmin/phpmyadmin
3.5.4
phpmyadmin/phpmyadmin
3.5.5
phpmyadmin/phpmyadmin
3.5.6
phpmyadmin/phpmyadmin
3.5.7 (2 CPE variants)
... and 3 more
Published
Apr 26, 2013
Tracked Since
Feb 18, 2026