In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

The version of phpMyAdmin installed on the remote web server is 4.9.x prior to 4.9.5 or 5.0.x prior to 5.0.2. It is, therefore, affected by multiple vulnerabilities.
 - A malicious user may be able to create a specially crafted username leading to a SQL injection.
 - A malicious user may be able to create a specially crafted database or table name leading to a SQL injection if a user then performs certain search operations on the table created.
 - An attacker may be able to insert crafted data in certain database tables, which when retrieved trigger a XSS attack. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.9.x prior to 4.9.5 or 5.0.x prior to 5.0.2. It is, therefore, affected by multiple vulnerabilities.

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval     of the current username (in libraries/classes/Server/Privileges.php and     libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted     username, and then trick the victim into performing specific actions with that user account (such as     editing its privileges). (CVE-2020-10804)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered     where certain parameters are not properly escaped when generating certain queries for search actions in     libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database     or table name. The attack can be performed if a user attempts certain search operations on the malicious     database or table. (CVE-2020-10802)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where     malicious code could be used to trigger an XSS attack through retrieving and displaying results (in     tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted     data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger     the XSS attack. (CVE-2020-10803)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4639-1 advisory.

  - Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows     remote authenticated users to inject arbitrary web script or HTML via a crafted URL. (CVE-2018-7260)

  - An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error     in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage     tables, although these can easily be created in any database to which the attacker has access. An attacker     must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to     circumvent the login system. (CVE-2018-19968)

  - In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can     deliver a payload to a user through a crafted database/table name. (CVE-2018-19970)

  - An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted     username can be used to trigger a SQL injection attack through the designer feature. (CVE-2019-6798)

  - An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is     set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the     web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the     inadvertent ignoring of options(MYSQLI_OPT_LOCAL_INFILE calls. (CVE-2019-6799)

  - An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially     crafted database name can be used to trigger an SQL injection attack through the designer feature.
    (CVE-2019-11768)

  - An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to     trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a     broken  tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a     payload (such as a specific INSERT or DELETE statement) to the victim. (CVE-2019-12616)

  - In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A     malicious user could inject custom SQL in place of their own username when creating queries to this page.
    An attacker must have a valid MySQL account to access the server. (CVE-2020-5504)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered     where certain parameters are not properly escaped when generating certain queries for search actions in     libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database     or table name. The attack can be performed if a user attempts certain search operations on the malicious     database or table. (CVE-2020-10802)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where     malicious code could be used to trigger an XSS attack through retrieving and displaying results (in     tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted     data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger     the XSS attack. (CVE-2020-10803)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval     of the current username (in libraries/classes/Server/Privileges.php and     libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted     username, and then trick the victim into performing specific actions with that user account (such as     editing its privileges). (CVE-2020-10804)

  - phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted     link. (CVE-2020-26934)

  - An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL     injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature.
    An attacker could use this flaw to inject malicious SQL in to a query. (CVE-2020-26935)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for phpMyAdmin fixes the following issues :

phpMyAdmin was updated to 4.9.7 (boo#1177842) :

  - Fix two factor authentication that was broken in 4.9.6

  - Fix incompatibilities with older PHP versions

Update to 4.9.6 :

  - Fixed XSS relating to the transformation feature     (boo#1177561 CVE-2020-26934, PMASA-2020-5)

  - Fixed SQL injection vulnerability in SearchController     (boo#1177562 CVE-2020-26935, PMASA-2020-6) 

Update to 4.9.5 :

This is a security release containing several bug fixes.

  - CVE-2020-10804: SQL injection vulnerability in the user     accounts page, particularly when changing a password     (boo#1167335, PMASA-2020-2)

  - CVE-2020-10802: SQL injection vulnerability relating to     the search feature (boo#1167336, PMASA-2020-3)

  - CVE-2020-10803: SQL injection and XSS having to do with     displaying results (boo#1167337, PMASA-2020-4)

  - Removing of the 'options' field for the external     transformation.

The **phpMyAdmin** team announces the release of both **4.9.5** and
**5.0.2**.

Both versions contain several security fixes :

  - PMASA-2020-2 SQL injection vulnerability in the user     accounts page, particularly when changing a password

  - PMASA-2020-3 SQL injection vulnerability relating to the     search feature

  - PMASA-2020-4 SQL injection and XSS having to do with     displaying results

  - Removing of the 'options' field for the external     transformation.

There are many other bugs fixes, please see the ChangeLog file included with this release for full details.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for phpMyAdmin to version 4.9.5 fixes the following issues :

  - phpmyadmin was updated to 4.9.5 :

  - CVE-2020-10804: Fixed a SQL injection in the user     accounts page, particularly when changing a password     (boo#1167335 PMASA-2020-2).

  - CVE-2020-10802: Fixed a SQL injection in the search     feature (boo#1167336 PMASA-2020-3).

  - CVE-2020-10803: Fixed a SQL injection and XSS when     displaying results (boo#1167337 PMASA-2020-4).

  - Removed the 'options' field for the external     transformation.

The following packages CVE(s) were reported against phpmyadmin.

CVE-2020-10802

In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

CVE-2020-10803

In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.

For Debian 8 'Jessie', these problems have been fixed in version 4:4.2.12-2+deb8u9.

We recommend that you upgrade your phpmyadmin packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
113302	phpMyAdmin 5.0.x < 5.0.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
113301	phpMyAdmin 4.9.x < 4.9.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
144646	phpMyAdmin 4.9.0 < 4.9.5 / 5.0.0 < 5.0.2 Multiple Vulnerabilities (PMASA-2020-2, PMASA-2020-3, PMASA-2020-4)	Nessus	CGI abuses	high
143119	Ubuntu 18.04 LTS : phpMyAdmin vulnerabilities (USN-4639-1)	Nessus	Ubuntu Local Security Checks	critical
142572	openSUSE Security Update : phpMyAdmin (openSUSE-2020-1806)	Nessus	SuSE Local Security Checks	critical
135107	Fedora 31 : phpMyAdmin (2020-d7b0a5a84a)	Nessus	Fedora Local Security Checks	high
135104	Fedora 30 : phpMyAdmin (2020-25f3aea389)	Nessus	Fedora Local Security Checks	high
135008	openSUSE Security Update : phpMyAdmin (openSUSE-2020-405)	Nessus	SuSE Local Security Checks	high
134771	Debian DLA-2154-1 : phpmyadmin security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2020-10802

high

Tenable Plugins

high

high

high

critical

critical

high

high

high

high