CVE-2020-26934: XSS
First published: Sun May 17 2020(Updated: )
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpmyadmin/phpmyadmin | >=4.9.0<4.9.6>=5.0.0<5.0.3 | |
| phpMyAdmin phpMyAdmin | >=4.9.0<4.9.6 | |
| phpMyAdmin phpMyAdmin | >=5.0.0<5.0.3 | |
| openSUSE Backports SLE | =15.0 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Backports SLE | =15.0-sp2 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Debian Debian Linux | =9.0 | |
| composer/phpmyadmin/phpmyadmin | >=5.0.0<5.0.3 | 5.0.3 |
| composer/phpmyadmin/phpmyadmin | >=4.9.0<4.9.6 | 4.9.6 |
| >=4.9.0<4.9.6 | ||
| >=5.0.0<5.0.3 | ||
| =15.0 | ||
| =15.0-sp1 | ||
| =15.0-sp2 | ||
| =15.1 | ||
| =15.2 | ||
| =31 | ||
| =32 | ||
| =33 | ||
| =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.phpmyadmin.net/security/PMASA-2020-5/
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5/
- https://security.gentoo.org/glsa/202101-35
- https://nvd.nist.gov/vuln/detail/CVE-2020-26934
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-26934.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5
- https://www.phpmyadmin.net/security/PMASA-2020-5
- https://github.com/advisories/GHSA-6349-53vr-7hcr (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5/
Frequently Asked Questions
What is CVE-2020-26934?
CVE-2020-26934 is a vulnerability in phpMyAdmin before 4.9.6 and 5.x before 5.0.3 that allows XSS (cross-site scripting) attacks through the transformation feature via a crafted link.
What is the severity of CVE-2020-26934?
The severity of CVE-2020-26934 is medium with a CVSS score of 6.1.
Which software versions are affected by CVE-2020-26934?
phpMyAdmin versions 4.9.0 to 4.9.6 and 5.0.0 to 5.0.3 are affected by CVE-2020-26934. Additionally, openSUSE Backports SLE 15.0, openSUSE Backports SLE 15.0 SP1, openSUSE Backports SLE 15.0 SP2, openSUSE Leap 15.1, openSUSE Leap 15.2, Fedoraproject Fedora 31, Fedoraproject Fedora 32, Fedoraproject Fedora 33, and Debian Debian Linux 9.0 are also affected.
How can I exploit CVE-2020-26934?
To exploit CVE-2020-26934, an attacker can construct a malicious link that, when clicked by a victim, executes arbitrary JavaScript in the context of the phpMyAdmin user interface.
How do I fix CVE-2020-26934?
To fix CVE-2020-26934, it is recommended to update phpMyAdmin to version 4.9.6 or 5.0.3. Alternatively, apply the patches or updates provided by the software vendor for the affected versions.
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6349-53vr-7hcr
- alias/CVE-2020-26934
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- agent/references
- agent/author
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/phpmyadmin
- canonical/phpmyadmin phpmyadmin
- version/phpmyadmin phpmyadmin/4.9.0
- version/phpmyadmin phpmyadmin/5.0.0
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0
- version/opensuse backports sle/15.0-sp1
- version/opensuse backports sle/15.0-sp2
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0