CVE-2020-10802
published 2020-03-22CVE-2020-10802: In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when…
high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | phpmyadmin | < phpmyadmin 4:4.9.5+dfsg1-1 (bookworm) | phpmyadmin 4:4.9.5+dfsg1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.6.6-5ubuntu0.5 | 4:4.6.6-5ubuntu0.5 |
| phpmyadmin | phpmyadmin | >= 4.0.0 < 4.9.5 | 4.9.5 |
| phpmyadmin | phpmyadmin | >= 4.9.0 < 4.9.5 | 4.9.5 |
| phpmyadmin | phpmyadmin | >= 5.0.0 < 5.0.2 | 5.0.2 |
| phpmyadmin | phpmyadmin | >= 5.0.0 < 5.0.2 | 5.0.2 |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
osv8.0HIGH