Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-5504 — SQL Injection in Phpmyadmin

CWE-89 — SQL Injection10 documents8 sources

Severity

8.8HIGHNVD

EPSS

22.4%

top 4.17%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Phpmyadmin Debian Linux Suse Linux Enterprise Server

Timeline

PublishedJan 9

Latest updateDec 3

Description

In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDphpmyadmin/phpmyadmin4.0.0 — 4.9.4+1

▶Packagistphpmyadmin/phpmyadmin4.0.0 — 4.9.4+1

▶Debianphpmyadmin/phpmyadmin< 4:4.9.4+dfsg1-1+3

▶NVDsuse/suse_linux_enterprise_server12

Also affects: Debian Linux 8.0

Patches

Patch: www.phpmyadmin.net ↗Patch: www.phpmyadmin.net ↗

🔴Vulnerability Details

OSV

phpMyAdmin SQL injection in user accounts page↗2022-05-24

▶

GHSA

phpMyAdmin SQL injection in user accounts page↗2022-05-24

▶

CVEList

CVE-2020-5504: In phpMyAdmin 4 before 4↗2020-01-09

▶

OSV

CVE-2020-5504: In phpMyAdmin 4 before 4↗2020-01-09

▶

💥Exploits & PoCs

Exploit-DB

phpMyAdmin 5.0.0 - SQL Injection↗2025-12-03

▶

📋Vendor Advisories

Ubuntu

phpMyAdmin vulnerabilities↗2021-03-16

▶

Ubuntu

phpMyAdmin vulnerabilities↗2020-11-19

▶

Debian

CVE-2020-5504: phpmyadmin - In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the use...↗2020

▶

💬Community

Bugzilla

CVE-2020-5504 phpmyadmin: SQL injection in the user accounts page↗2020-01-13

▶