In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

The version of phpMyAdmin installed on the remote web server is 4.9.x prior to 4.9.5 or 5.0.x prior to 5.0.2. It is, therefore, affected by multiple vulnerabilities.
 - A malicious user may be able to create a specially crafted username leading to a SQL injection.
 - A malicious user may be able to create a specially crafted database or table name leading to a SQL injection if a user then performs certain search operations on the table created.
 - An attacker may be able to insert crafted data in certain database tables, which when retrieved trigger a XSS attack. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.9.x prior to 4.9.5 or 5.0.x prior to 5.0.2. It is, therefore, affected by multiple vulnerabilities.

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval     of the current username (in libraries/classes/Server/Privileges.php and     libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted     username, and then trick the victim into performing specific actions with that user account (such as     editing its privileges). (CVE-2020-10804)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered     where certain parameters are not properly escaped when generating certain queries for search actions in     libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database     or table name. The attack can be performed if a user attempts certain search operations on the malicious     database or table. (CVE-2020-10802)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where     malicious code could be used to trigger an XSS attack through retrieving and displaying results (in     tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted     data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger     the XSS attack. (CVE-2020-10803)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4639-1 advisory.

    It was discovered that there was a bug in the way phpMyAdmin handles the phpMyAdmin Configuration Storage     tables. An authenticated attacker could use this vulnerability to cause phpmyAdmin to leak sensitive     files. (CVE-2018-19968)

    It was discovered that phpMyAdmin incorrectly handled user input. An attacker could possibly use this for     an XSS attack. (CVE-2018-19970)

    It was discovered that phpMyAdmin mishandled certain input. An attacker could use this vulnerability to     execute a cross-site scripting (XSS) attack via a crafted URL. (CVE-2018-7260)

    It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this     vulnerability to execute an SQL injection attack via a specially crafted database name. (CVE-2019-11768)

    It was discovered that phpmyadmin incorrectly handled some requests. An attacker could possibly use this     to perform a CSRF attack. (CVE-2019-12616)

    It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this     vulnerability to execute an SQL injection attack via a specially crafted username. (CVE-2019-6798,     CVE-2020-10804, CVE-2020-5504)

    It was discovered that phpMyAdmin would allow sensitive files to be leaked if certain configuration     options were set. An attacker could use this vulnerability to access confidential information.
    (CVE-2019-6799)

    It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this     vulnerability to execute an SQL injection attack via a specially crafted database or table name.
    (CVE-2020-10802)

    It was discovered that phpMyAdmin did not properly handle data from the database when displaying it. If an     attacker were to insert specially- crafted data into certain database tables, the attacker could execute a     cross-site scripting (XSS) attack. (CVE-2020-10803)

    It was discovered that phpMyAdmin was vulnerable to an XSS attack. If a victim were to click on a crafted     link, an attacker could run malicious JavaScript on the victim's system. (CVE-2020-26934)

    It was discovered that phpMyAdmin did not properly handler certain SQL statements in the search feature.
    An attacker could use this vulnerability to inject malicious SQL into a query. (CVE-2020-26935)

    It was discovered that phpMyAdmin did not properly sanitize certain input. An attacker could use this     vulnerability to possibly execute an HTML injection or a cross-site scripting (XSS) attack.
    (CVE-2019-19617)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for phpMyAdmin fixes the following issues :

phpMyAdmin was updated to 4.9.7 (boo#1177842) :

  - Fix two factor authentication that was broken in 4.9.6

  - Fix incompatibilities with older PHP versions

Update to 4.9.6 :

  - Fixed XSS relating to the transformation feature     (boo#1177561 CVE-2020-26934, PMASA-2020-5)

  - Fixed SQL injection vulnerability in SearchController     (boo#1177562 CVE-2020-26935, PMASA-2020-6) 

Update to 4.9.5 :

This is a security release containing several bug fixes.

  - CVE-2020-10804: SQL injection vulnerability in the user     accounts page, particularly when changing a password     (boo#1167335, PMASA-2020-2)

  - CVE-2020-10802: SQL injection vulnerability relating to     the search feature (boo#1167336, PMASA-2020-3)

  - CVE-2020-10803: SQL injection and XSS having to do with     displaying results (boo#1167337, PMASA-2020-4)

  - Removing of the 'options' field for the external     transformation.

The **phpMyAdmin** team announces the release of both **4.9.5** and
**5.0.2**.

Both versions contain several security fixes :

  - PMASA-2020-2 SQL injection vulnerability in the user     accounts page, particularly when changing a password

  - PMASA-2020-3 SQL injection vulnerability relating to the     search feature

  - PMASA-2020-4 SQL injection and XSS having to do with     displaying results

  - Removing of the 'options' field for the external     transformation.

There are many other bugs fixes, please see the ChangeLog file included with this release for full details.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for phpMyAdmin to version 4.9.5 fixes the following issues :

  - phpmyadmin was updated to 4.9.5 :

  - CVE-2020-10804: Fixed a SQL injection in the user     accounts page, particularly when changing a password     (boo#1167335 PMASA-2020-2).

  - CVE-2020-10802: Fixed a SQL injection in the search     feature (boo#1167336 PMASA-2020-3).

  - CVE-2020-10803: Fixed a SQL injection and XSS when     displaying results (boo#1167337 PMASA-2020-4).

  - Removed the 'options' field for the external     transformation.

The following packages CVE(s) were reported against phpmyadmin.

CVE-2020-10802

In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

CVE-2020-10803

In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.

For Debian 8 'Jessie', these problems have been fixed in version 4:4.2.12-2+deb8u9.

We recommend that you upgrade your phpmyadmin packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
113302	phpMyAdmin 5.0.x < 5.0.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
113301	phpMyAdmin 4.9.x < 4.9.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
144646	phpMyAdmin 4.9.0 < 4.9.5 / 5.0.0 < 5.0.2 Multiple Vulnerabilities (PMASA-2020-2, PMASA-2020-3, PMASA-2020-4)	Nessus	CGI abuses	high
143119	Ubuntu 18.04 LTS : phpMyAdmin vulnerabilities (USN-4639-1)	Nessus	Ubuntu Local Security Checks	critical
142572	openSUSE Security Update : phpMyAdmin (openSUSE-2020-1806)	Nessus	SuSE Local Security Checks	critical
135107	Fedora 31 : phpMyAdmin (2020-d7b0a5a84a)	Nessus	Fedora Local Security Checks	high
135104	Fedora 30 : phpMyAdmin (2020-25f3aea389)	Nessus	Fedora Local Security Checks	high
135008	openSUSE Security Update : phpMyAdmin (openSUSE-2020-405)	Nessus	SuSE Local Security Checks	high
134771	Debian DLA-2154-1 : phpmyadmin security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2020-10802

high

Tenable Plugins

high

high

high

critical

critical

high

high

high

high