CVE-2020-10803: SQL Injection
First published: Thu Mar 05 2020(Updated: )
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpmyadmin/phpmyadmin | >=3.4<4.9.5>=5.0.0<5.0.2 | |
| phpMyAdmin phpMyAdmin | >=4.0.0<4.9.5 | |
| phpMyAdmin phpMyAdmin | >=5.0.0<5.0.2 | |
| Debian Debian Linux | =8.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| openSUSE Backports SLE | =15.0 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Leap | =15.1 | |
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 | |
| composer/phpmyadmin/phpmyadmin | >=5.0.0<5.0.2 | 5.0.2 |
| composer/phpmyadmin/phpmyadmin | >=3.4<4.9.5 | 4.9.5 |
| All of | ||
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.phpmyadmin.net/security/PMASA-2020-4/
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html
- https://lists.debian.org/debian-lts-announce/2020/03/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/
- https://nvd.nist.gov/vuln/detail/CVE-2020-10803
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-10803.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO
- https://www.phpmyadmin.net/security/PMASA-2020-4
- https://github.com/advisories/GHSA-fcww-8wvc-38q9 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/
Frequently Asked Questions
What is the vulnerability ID of this SQL injection issue relating to data display?
The vulnerability ID is CVE-2020-10803.
What is the severity level of CVE-2020-10803?
The severity level of CVE-2020-10803 is medium with a CVSS score of 5.4.
Which software versions are affected by this vulnerability?
The affected software versions include phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2.
How can an attacker exploit this vulnerability?
An attacker can exploit this vulnerability by using malicious code to trigger an XSS attack through retrieving and displaying results in tbl_get_field.php and libraries/classes/Display/Results.php.
Are there any official references for CVE-2020-10803?
Yes, you can find official references for CVE-2020-10803 at the following links: [1] [2] [3].
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fcww-8wvc-38q9
- alias/CVE-2020-10803
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/remedy
- agent/description
- agent/author
- agent/references
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- package-manager/composer
- vendor/phpmyadmin
- canonical/phpmyadmin phpmyadmin
- version/phpmyadmin phpmyadmin/4.0.0
- version/phpmyadmin phpmyadmin/5.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0
- version/opensuse backports sle/15.0-sp1
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/suse
- canonical/suse package hub
- canonical/suse linux enterprise
- version/suse linux enterprise/12.0