Fluid Attacks Database

Description

phpMyAdmin SQL injection in user accounts page In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	phpmyadmin	>=0 <4:4.9.4+dfsg1-1	4:4.9.4+dfsg1-1
debian 12	phpmyadmin	>=0 <4:4.9.4+dfsg1-1	4:4.9.4+dfsg1-1
packagist	phpmyadmin/phpmyadmin	>=4.0.0 <4.9.4 \|\| >=5.0.0 <5.0.1	4.9.4, 5.0.1
debian 11	phpmyadmin	>=0 <4:4.9.4+dfsg1-1	4:4.9.4+dfsg1-1

Aliases

1. CVE-2020-55042. NVD-2020-55043. OSV-DEBIAN-2020-55044. OSV-2020-55045. GCVE-2020-55046. SECURITY-TRACKER-CVE-2020-55047. lists.debian.org

References

1. https://github.com/xMohamed0/CVE-2020-5504-phpMyAdmin2. https://cybersecurityworks.com/zerodays/cve-2020-5504-phpmyadmin.html3. https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-5504.yaml4. https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-5504.md5. https://www.phpmyadmin.net/security/PMASA-2020-16. http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html