Debian LTS: Security Advisory for phpmyadmin (DLA-2154-1)

The remote host is missing an update for the 'phpmyadmin' package(s) announced via the DLA-2154-1 advisory.

The following packages CVE(s) were reported against phpmyadmin. CVE-2020-10802 In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. CVE-2020-10803 In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.

'phpmyadmin' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 8 'Jessie', these problems have been fixed in version 4:4.2.12-2+deb8u9. We recommend that you upgrade your phpmyadmin packages.