CVE-2020-10804
published 2020-03-22CVE-2020-10804: In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in…
high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | < phpmyadmin 4:4.9.5+dfsg1-1 (bookworm) | phpmyadmin 4:4.9.5+dfsg1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.9.5+dfsg1-1 | 4:4.9.5+dfsg1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:4.6.6-5ubuntu0.5 | 4:4.6.6-5ubuntu0.5 |
| phpmyadmin | phpmyadmin | >= 4.0.0 < 4.9.5 | 4.9.5 |
| phpmyadmin | phpmyadmin | >= 4.9.0 < 4.9.5 | 4.9.5 |
| phpmyadmin | phpmyadmin | >= 5.0.0 < 5.0.2 | 5.0.2 |
| phpmyadmin | phpmyadmin | >= 5.0.0 < 5.0.2 | 5.0.2 |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
osv8.0HIGH