phpMyAdmin < 4.9.5, 5.x < 5.0.2 Multiple SQL Injection Vulnerabilities - PMASA-2020-2, PMSA-2020-3, PMSA-2020-4 (Windows)

Published: 2020-03-23 11:00:00
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:

Detection Type:
Remote Banner

Solution Type:
Vendor Patch

phpMyAdmin is prone to multiple SQL injection vulnerabilities.

Detection Method:
Checks if a vulnerable version is present on the target host.

Technical Details:
The following SQL injection vulnerabilities exist: - An SQL injection vulnerability was found in how phpMyAdmin retrieves the current username - An SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions within phpMyAdmin - An SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results.

Successful exploitation would allow an attacker to: - create a specially-crafted username and then trick the victim in to performing specific actions with that user account (such as editing its privileges) - generate specially-crafted database or table names - insert specially-crafted data in to certain database tables, which when retrieved (for instance, through the Browse tab) can trigger an XSS attack

Affected Versions:
phpMyAdmin prior to version 4.9.5 and 5.x prior to 5.0.2.

Update to version 4.9.5, 5.0.2 or later.

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)


CVSS Score

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.