What is CVE-2020-26935?

CVE-2020-26935 is a SQL injection vulnerability in the SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3.

How does the SQL injection vulnerability in SearchController work?

The SQL injection vulnerability allows an attacker to inject malicious SQL into a query processed by phpMyAdmin's search feature.

What is the severity of CVE-2020-26935?

The severity of CVE-2020-26935 is critical with a CVSS score of 9.8.

What software versions are affected by CVE-2020-26935?

Versions of phpMyAdmin before 4.9.6 and 5.x before 5.0.3 are affected.

How can I fix the SQL injection vulnerability in SearchController?

To fix the vulnerability, it is recommended to upgrade phpMyAdmin to version 4.9.6 or higher for 4.x versions, and version 5.0.3 or higher for 5.x versions.

Vulnerability/
CVE-2020-26935

critical

9.8

CWE

3/7/2020

10/10/2020

4/8/2024

CVE-2020-26935: SQL Injection

First published: Fri Jul 03 2020(Updated: )

An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
composer/phpmyadmin/phpmyadmin	>=4.9.0<4.9.6>=5.0.0<5.0.3
phpMyAdmin phpMyAdmin	>=4.9.0<4.9.6
phpMyAdmin phpMyAdmin	>=5.0.0<5.0.3
openSUSE Backports SLE	=15.0
openSUSE Backports SLE	=15.0-sp1
openSUSE Backports SLE	=15.0-sp2
openSUSE Leap	=15.1
openSUSE Leap	=15.2
Fedoraproject Fedora	=31
Fedoraproject Fedora	=32
Fedoraproject Fedora	=33
Debian Debian Linux	=9.0
composer/phpmyadmin/phpmyadmin	>=5.0.0<5.0.3	5.0.3
composer/phpmyadmin/phpmyadmin	>=4.9.0<4.9.6	4.9.6
	>=4.9.0<4.9.6
	>=5.0.0<5.0.3
	=15.0
	=15.0-sp1
	=15.0-sp2
	=15.1
	=15.2
	=31
	=32
	=33
	=9.0

Remedy

https://www.phpmyadmin.net/security/PMASA-2020-6/

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-26935?
CVE-2020-26935 is a SQL injection vulnerability in the SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3.
How does the SQL injection vulnerability in SearchController work?
The SQL injection vulnerability allows an attacker to inject malicious SQL into a query processed by phpMyAdmin's search feature.
What is the severity of CVE-2020-26935?
The severity of CVE-2020-26935 is critical with a CVSS score of 9.8.
What software versions are affected by CVE-2020-26935?
Versions of phpMyAdmin before 4.9.6 and 5.x before 5.0.3 are affected.
How can I fix the SQL injection vulnerability in SearchController?
To fix the vulnerability, it is recommended to upgrade phpMyAdmin to version 4.9.6 or higher for 4.x versions, and version 5.0.3 or higher for 5.x versions.

collector/friends-of-php
collector/nvd-index
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-7ff4-cv53-4cjq
alias/CVE-2020-26935
agent/software-canonical-lookup
agent/remedy
agent/severity
agent/weakness
agent/description
agent/references
agent/author
agent/softwarecombine
collector/nvd-cve
source/NVD
collector/github-advisory
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
agent/tags
agent/source
package-manager/composer
vendor/phpmyadmin
canonical/phpmyadmin phpmyadmin
version/phpmyadmin phpmyadmin/4.9.0
version/phpmyadmin phpmyadmin/5.0.0
vendor/opensuse
canonical/opensuse backports sle
version/opensuse backports sle/15.0
version/opensuse backports sle/15.0-sp1
version/opensuse backports sle/15.0-sp2
canonical/opensuse leap
version/opensuse leap/15.1
version/opensuse leap/15.2
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/31
version/fedoraproject fedora/32
version/fedoraproject fedora/33
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0