==================================================================== CERT-Renater Note d'Information No. 2020/VULN004 _____________________________________________________________________ DATE : 14/01/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running phpMyAdmin versions 4.x, 5.x prior to 4.9.4, 5.0.1. ===================================================================== https://www.phpmyadmin.net/security/PMASA-2020-1/ _____________________________________________________________________ PMASA-2020-1 Announcement-ID: PMASA-2020-1 Date: 2020-01-05 Summary SQL injection in user accounts page Description A SQL injection flaw has been discovered in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. Severity We consider this vulnerability to be serious Affected Versions phpMyAdmin 4.x versions prior to 4.9.4 are affected, at least as old as 4.0.0. phpMyAdmin 5.x version 5.0.0 is affected. Solution 4.8, 4.9: upgrade to version 4.9.4 or newer. 5.x: upgrade to version 5.0.1 or newer. Or apply the patch below. Older versions: https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b References Thanks to CSW Research Labs for reporting this vulnerability Assigned CVE ids: CVE-2020-5504 CWE ids: CWE-661 Patches The following commits have been made to fix this issue: c86acbf3ed49f69cf38b31879886dd5eb86b6983 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================