CVE-2020-10802

Description

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

How to fix CVE-2020-10802

To remediate CVE-2020-10802, upgrade the affected package to a fixed version below.

• —upgrade to 4.9.5 or later
• —upgrade to 4:4.9.5+dfsg1-1 or later
• —upgrade to 4:4.2.12-2+deb8u9 or later
• —upgrade to 4.9.5 or later

Is CVE-2020-10802 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 4.0.0, < 4.9.5, >= 5.0.0, < 5.0.2
• from 0, < 4:4.9.5+dfsg1-1
• from 0, < 4:4.2.12-2+deb8u9
• >= 4.9.0, < 4.9.5

CVSS scores

References (16)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-10802
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-10802
• PATCHgithub.com/phpmyadmin/composer
• WEBlists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html