SQL injection in user accounts page

2020-01-05T00:00:00
ID PHPMYADMIN:PMASA-2020-1
Type phpmyadmin
Reporter phpMyAdmin
Modified 2020-01-05T00:00:00

Description

PMASA-2020-1

Announcement-ID: PMASA-2020-1

Date: 2020-01-05

Summary

SQL injection in user accounts page

Description

A SQL injection flaw has been discovered in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

Severity

We consider this vulnerability to be serious

Affected Versions

phpMyAdmin 4.x versions prior to 4.9.4 are affected, at least as old as 4.0.0. phpMyAdmin 5.x version 5.0.0 is affected.

Solution

4.8, 4.9: upgrade to version 4.9.4 or newer. 5.x: upgrade to version 5.0.1 or newer. Or apply the patch below. Older versions: https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b

References

Thanks to CSW Research Labs for reporting this vulnerability

Assigned CVE ids: CVE-2020-5504

CWE ids: CWE-661

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.