SQL Injection

Affecting phpmyadmin/phpmyadmin package, versions >=4.0.0, <4.9.5 || >=5.0.0, <5.0.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

phpmyadmin/phpmyadmin is a web interface for MySQL and MariaDB.

Affected versions of this package are vulnerable to SQL Injection. Certain parameters were not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

Remediation

Upgrade phpmyadmin/phpmyadmin to version 4.9.5, 5.0.2 or higher.

References

CVSS Score

5.0
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2020-10802
CWE
CWE-89
Snyk ID
SNYK-PHP-PHPMYADMINPHPMYADMIN-560906
Disclosed
20 Mar, 2020
Published
22 Mar, 2020