PhpMyAdmin 4 before 4.9.4 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) Vulnerability

Summary

A SQL injection flaw has been discovered in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

Credit:

The information has been provided by Vendor

The original article can be found at:https://www.phpmyadmin.net/security/PMASA-2020-1/


Details

In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

 

Vulnerable Systems:

PhpMyAdmin 4 before 4.9.4 

PhpMyAdmin 5 before 5.0.1

 

CVE Information:

CVE-2020-5504

 

Disclosure Timeline:
Published Date:1/9/2020

Categories: News