cbcvebase.
CVE-2020-5504
published 2020-01-09

CVE-2020-5504: In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
38.78%
98.4th percentile
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

Affected

16 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianphpmyadmin< phpmyadmin 4:4.9.4+dfsg1-1 (bookworm)phpmyadmin 4:4.9.4+dfsg1-1 (bookworm)
phpmyadminphpmyadmin>= 0 < 4:4.9.4+dfsg1-14:4.9.4+dfsg1-1
phpmyadminphpmyadmin>= 0 < 4:4.9.4+dfsg1-14:4.9.4+dfsg1-1
phpmyadminphpmyadmin>= 0 < 4:4.9.4+dfsg1-14:4.9.4+dfsg1-1
phpmyadminphpmyadmin>= 0 < 4:4.9.4+dfsg1-14:4.9.4+dfsg1-1
phpmyadminphpmyadmin>= 0 < 4:4.6.6-5ubuntu0.54:4.6.6-5ubuntu0.5
phpmyadminphpmyadmin>= 0 < 4:4.0.10-1ubuntu0.1+esm44:4.0.10-1ubuntu0.1+esm4
phpmyadminphpmyadmin>= 0 < 4:4.5.4.1-2ubuntu2.1+esm64:4.5.4.1-2ubuntu2.1+esm6
phpmyadminphpmyadmin>= 0 < 4:4.6.6-5ubuntu0.5+esm14:4.6.6-5ubuntu0.5+esm1
phpmyadminphpmyadmin>= 0 < 4:4.9.5+dfsg1-2ubuntu0.1~esm14:4.9.5+dfsg1-2ubuntu0.1~esm1
phpmyadminphpmyadmin>= 4.0.0 < 4.9.44.9.4
phpmyadminphpmyadmin>= 4.0.0 < 4.9.44.9.4
phpmyadminphpmyadmin>= 5.0.0 < 5.0.15.0.1
phpmyadminphpmyadmin>= 5.0.0 < 5.0.15.0.1
susesuse_linux_enterprise_server

Detection & IOCsextracted from sources · hover to see the quote

url/server_privileges.php?ajax_request=true&validate_username=set&username=%27%20OR%20%271%27%3D%271%27%20--%20
path/server_privileges.php
commandusername=' OR '1'='1' --
  • Monitor HTTP GET requests to /server_privileges.php with parameters ajax_request=true and validate_username=set, especially where the username parameter contains SQL metacharacters such as single quotes, OR clauses, or comment sequences (--).
  • SQL injection is triggered via the username parameter on the user accounts page (server_privileges.php); alert on URL-encoded SQL injection patterns (%27, %20OR%20, %20--%20) in that parameter.
  • Exploitation requires an authenticated MySQL session; correlate suspicious server_privileges.php requests with valid session cookies to identify authenticated abuse.
  • ·Exploitation requires a valid MySQL account; unauthenticated attackers cannot trigger this vulnerability.
  • ·Affected versions are phpMyAdmin 4.x before 4.9.4 and 5.x before 5.0.1; instances running 4.9.4+ or 5.0.1+ are not vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.