SQL Injection

Affecting phpmyadmin/phpmyadmin package, versions >=4.0.0, <4.9.5 || >=5.0.0, <5.0.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

phpmyadmin/phpmyadmin is a web interface for MySQL and MariaDB.

Affected versions of this package are vulnerable to SQL Injection via the tbl_get_field.php and libraries/classes/Display/Results.php classes where malicious code could be used to trigger an XSS attack through retrieving and displaying results. The attacker must be able to insert crafted data into certain database tables, which when retrieved can trigger the XSS attack.

Remediation

Upgrade phpmyadmin/phpmyadmin to version 4.9.5, 5.0.2 or higher.

References

CVSS Score

5.0
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2020-10803
CWE
CWE-89
Snyk ID
SNYK-PHP-PHPMYADMINPHPMYADMIN-560907
Disclosed
20 Mar, 2020
Published
22 Mar, 2020