Fluid Attacks Database

Description

phpMyAdmin SQL Injection In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpmyadmin/phpmyadmin	>=4.9.0 <4.9.5 \|\| >=5.0.0 <5.0.2	4.9.5, 5.0.2
debian 12	phpmyadmin	>=0 <4:4.9.5+dfsg1-1	4:4.9.5+dfsg1-1
debian 13	phpmyadmin	>=0 <4:4.9.5+dfsg1-1	4:4.9.5+dfsg1-1
debian 11	phpmyadmin	>=0 <4:4.9.5+dfsg1-1	4:4.9.5+dfsg1-1

Aliases

1. CVE-2020-108042. NVD-2020-108043. OSV-2020-108044. OSV-DEBIAN-2020-108045. GCVE-2020-108046. SECURITY-TRACKER-CVE-2020-10804

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-10804.yaml2. https://lists.fedoraproject.org/archives/list/[email protected]/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ3. https://lists.fedoraproject.org/archives/list/[email protected]/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK4. https://lists.fedoraproject.org/archives/list/[email protected]/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO5. https://www.phpmyadmin.net/security/PMASA-2020-26. http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html7. http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html8. http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html