CVE-2020-10803
published 2020-03-22CVE-2020-10803: In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack…
medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | phpmyadmin | < phpmyadmin 4:4.9.5+dfsg1-1 (bookworm) | phpmyadmin 4:4.9.5+dfsg1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.6.6-5ubuntu0.5 | 4:4.6.6-5ubuntu0.5 |
| phpmyadmin | phpmyadmin | >= 3.4 < 4.9.5 | 4.9.5 |
| phpmyadmin | phpmyadmin | >= 4.0.0 < 4.9.5 | 4.9.5 |
| phpmyadmin | phpmyadmin | >= 5.0.0 < 5.0.2 | 5.0.2 |
| phpmyadmin | phpmyadmin | >= 5.0.0 < 5.0.2 | 5.0.2 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv6.5MEDIUM