CVE-2020-10803

Name
CVE-2020-10803
Description
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://www.phpmyadmin.net/security/PMASA-2020-4/
Mailing List https://lists.debian.org/debian-lts-announce/2020/03/msg00028.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* phpmyadmin >= 4.0.0 < 4.9.5
cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* phpmyadmin >= 5.0.0 < 5.0.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
phpmyadmin edge-community 5.0.2-r0 None fixed
phpmyadmin edge-community 5.0.1-r0 None possibly vulnerable
phpmyadmin edge-community 4.9.2-r0 None possibly vulnerable
phpmyadmin edge-community 4.9.1-r0 None possibly vulnerable
phpmyadmin edge-community 4.9.0.1-r0 None possibly vulnerable
phpmyadmin edge-community 4.8.5-r0 None possibly vulnerable
phpmyadmin edge-community 4.8.4-r0 None possibly vulnerable
phpmyadmin edge-community 4.8.2-r0 None possibly vulnerable
phpmyadmin edge-community 4.8.0.-r1 None possibly vulnerable
phpmyadmin edge-community 4.8.0-r1 None possibly vulnerable
phpmyadmin edge-community 4.6.5.2-r0 None possibly vulnerable
phpmyadmin 3.22-community 5.0.2-r0 None fixed
phpmyadmin 3.22-community 5.0.1-r0 None possibly vulnerable
phpmyadmin 3.22-community 4.9.2-r0 None possibly vulnerable
phpmyadmin 3.22-community 4.9.1-r0 None possibly vulnerable
phpmyadmin 3.22-community 4.9.0.1-r0 None possibly vulnerable
phpmyadmin 3.22-community 4.8.5-r0 None possibly vulnerable
phpmyadmin 3.22-community 4.8.4-r0 None possibly vulnerable
phpmyadmin 3.22-community 4.8.2-r0 None possibly vulnerable
phpmyadmin 3.22-community 4.8.0-r1 None possibly vulnerable
phpmyadmin 3.22-community 4.6.5.2-r0 None possibly vulnerable
phpmyadmin 3.21-community 5.0.2-r0 None fixed
phpmyadmin 3.20-community 5.0.2-r0 None fixed
phpmyadmin 3.19-community 5.0.2-r0 None fixed
phpmyadmin 3.18-community 5.0.2-r0 None fixed
phpmyadmin 3.17-community 5.0.2-r0 None fixed