SQL injection in user accounts page
A SQL injection flaw has been discovered in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
We consider this vulnerability to be serious
phpMyAdmin 4.x versions prior to 4.9.4 are affected, at least as old as 4.0.0. phpMyAdmin 5.x version 5.0.0 is affected.
4.8, 4.9: upgrade to version 4.9.4 or newer. 5.x: upgrade to version 5.0.1 or newer. Or apply the patch below. Older versions: https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b
Thanks to CSW Research Labs for reporting this vulnerability
Assigned CVE ids: CVE-2020-5504
CWE ids: CWE-661
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.