Vulnerability Description
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phpmyadmin | Phpmyadmin | >= 4.0.0, < 4.9.4 |
| Suse | Suse Linux Enterprise Server | 12 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.htmlMailing ListThird Party Advisory
- https://cybersecurityworks.com/zerodays/cve-2020-5504-phpmyadmin.htmlExploitThird Party Advisory
- https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-5504.md
- https://lists.debian.org/debian-lts-announce/2020/01/msg00011.htmlMailing ListThird Party Advisory
- https://www.phpmyadmin.net/security/PMASA-2020-1/PatchVendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.htmlMailing ListThird Party Advisory
- https://cybersecurityworks.com/zerodays/cve-2020-5504-phpmyadmin.htmlExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00011.htmlMailing ListThird Party Advisory
- https://www.phpmyadmin.net/security/PMASA-2020-1/PatchVendor Advisory
FAQ
What is CVE-2020-5504?
CVE-2020-5504 is a vulnerability with a CVSS score of 8.8 (HIGH). In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this p...
How severe is CVE-2020-5504?
CVE-2020-5504 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5504?
Check the references section above for vendor advisories and patch information. Affected products include: Phpmyadmin Phpmyadmin, Suse Suse Linux Enterprise Server, Debian Debian Linux.