CVE-2020-10803 — Cross-site Scripting in Phpmyadmin

CWE-79 — Cross-site Scripting CWE-89 — SQL Injection11 documents7 sources

Severity

5.4MEDIUMNVD

OSV6.5

EPSS

3.6%

top 12.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmyadmin Debian Linux Fedoraproject Fedora +2 more

Timeline

PublishedMar 22

Latest updateMay 24

Description

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages6 packages

▶NVDphpmyadmin/phpmyadmin4.0.0 — 4.9.5+1

▶Packagistphpmyadmin/phpmyadmin3.4 — 4.9.5+1

▶Debianphpmyadmin/phpmyadmin< 4:4.9.5+dfsg1-1+3

▶Ubuntuphpmyadmin/phpmyadmin< 4:4.6.6-5ubuntu0.5

▶NVDopensuse/leap15.1

Also affects: Debian Linux 8.0, Fedora 30, 31, 32

Patches

Patch: www.phpmyadmin.net ↗Patch: www.phpmyadmin.net ↗

🔴Vulnerability Details

OSV

phpMyAdmin SQL injection vulnerability↗2022-05-24

▶

GHSA

phpMyAdmin SQL injection vulnerability↗2022-05-24

▶

OSV

phpmyadmin vulnerabilities↗2020-11-19

▶

CVEList

CVE-2020-10803: In phpMyAdmin 4↗2020-03-22

▶

OSV

CVE-2020-10803: In phpMyAdmin 4↗2020-03-22

▶

📋Vendor Advisories

Ubuntu

phpMyAdmin vulnerabilities↗2020-11-19

▶

Debian

CVE-2020-10803: phpmyadmin - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerabili...↗2020

▶

💬Community

Bugzilla

CVE-2020-10803 phpMyAdmin: Inserting specially crafted code in database tables, retrieving and displaying resuts could result in XSS↗2020-03-23

▶

Bugzilla

CVE-2020-10803 phpMyAdmin: Inserting specially crafted code in database tables, retrieving and displaying resuts could result in XSS [epel-all]↗2020-03-23

▶

Bugzilla

CVE-2020-10803 phpMyAdmin: Inserting specially crafted code in database tables, retrieving and displaying resuts could result in XSS [fedora-all]↗2020-03-23

▶