CVE-2020-5504

Name
CVE-2020-5504
Description
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://www.phpmyadmin.net/security/PMASA-2020-1/
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html
Mailing List https://lists.debian.org/debian-lts-announce/2020/01/msg00011.html
Exploit https://cybersecurityworks.com/zerodays/cve-2020-5504-phpmyadmin.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* phpmyadmin >= 4.0.0 < 4.9.4
cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* phpmyadmin >= 5.0.0 < 5.0.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status