==================================================================== CERT-Renater Note d'Information No. 2020/VULN566 _____________________________________________________________________ DATE : 12/10/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running phpMyAdmin versions prior to 4.9.6, 5.0.3. ===================================================================== https://www.phpmyadmin.net/security/PMASA-2020-6/ https://www.phpmyadmin.net/security/PMASA-2020-5/ _____________________________________________________________________ PMASA-2020-6 Announcement-ID: PMASA-2020-6 Date: 2020-10-10 Summary SQL injection vulnerability in SearchController Description An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. Severity We consider this flaw to be of moderate severity. Affected Versions phpMyAdmin 4.9.x releases prior to 4.9.6 and the 5.0.x releases prior to 5.0.3 are affected. Solution Upgrade to phpMyAdmin 4.9.6 or 5.0.3 or newer or apply patch listed below. References Thanks to André Sá from the SCA AppSec group at Checkmarx for reporting this vulnerability. Assigned CVE ids: CVE-2020-26935 CWE ids: CWE-661 Patches The following commits have been made to fix this issue: d09ab9bc9d634ad08b866d42bb8c4109869d38d2 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. _____________________________________________________________________ PMASA-2020-5 Announcement-ID: PMASA-2020-5 Date: 2020-10-10 Summary XSS relating to the transformation feature Description A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. Severity We consider this flaw to be of moderate severity. Affected Versions phpMyAdmin 4.9.x releases prior to 4.9.6 and the 5.0.x releases prior to 5.0.3 are affected. We believe the flaw was introduced with phpMyAdmin 2.5.0. Solution Upgrade to phpMyAdmin 4.9.6 or 5.0.3 or newer or apply patch listed below. References Thanks to Giwan Go for reporting this vulnerability. Assigned CVE ids: CVE-2020-26934 CWE ids: CWE-661 Patches The following commits have been made to fix this issue: 19df63b0365621427697edc185ff7c9c5707c523 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================