CVSS: 8.0EPSS: 0%CPEs: 10EXPL: 0CVE-2020-10804
https://notcve.org/view.php?id=CVE-2020-10804
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). En phpMyAdmin versiones 4.x anteriores a 4.9.5 y versiones 5.x anteriores a 5.0.2, se encontró una vulnerabilidad de inyección SQL en la recuperación del nombre de usuario actual (en las bibliotecas libraries/classes/Server/Privileges.php y libraries/classes/UserPassword.php). Un usuario malicioso con acceso al servidor podría crear un nombre de usuario diseñado y luego engañar a la víctima para que realice acciones específicas con esa cuenta de usuario (tal y como editar sus privilegios). • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK https://lists.fedoraproject.org/archives/list/package-announce%40 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 2CVE-2020-5504
https://notcve.org/view.php?id=CVE-2020-5504
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. En phpMyAdmin versiones 4 anteriores a 4.9.4 y versiones 5 anteriores a 5.0.1, una inyección SQL se presenta en la página de cuentas de usuario. Un usuario malicioso podría inyectar SQL personalizado en lugar de su propio nombre de usuario cuando crea consultas en esta página. • https://github.com/xMohamed0/CVE-2020-5504-phpMyAdmin http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html https://cybersecurityworks.com/zerodays/cve-2020-5504-phpmyadmin.html https://lists.debian.org/debian-lts-announce/2020/01/msg00011.html https://www.phpmyadmin.net/security/PMASA-2020-1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19617
https://notcve.org/view.php?id=CVE-2019-19617
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php. phpMyAdmin versiones anteriores a 4.9.2 no escapa determinada información de Git, relacionada con las bibliotecas libraries/classes/Display/GitRevision.php y libraries/classes/Footer.php. • https://github.com/phpmyadmin/phpmyadmin/commit/1119de642b136d20e810bb20f545069a01dd7cc9 https://github.com/phpmyadmin/phpmyadmin/compare/RELEASE_4_9_1...RELEASE_4_9_2 https://lists.debian.org/debian-lts-announce/2019/12/msg00006.html https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2019-18622
https://notcve.org/view.php?id=CVE-2019-18622
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. Se detectó un problema en phpMyAdmin versiones anteriores a 4.9.2. Se puede utilizar un nombre de base de datos/tabla diseñado para desencadenar un ataque de inyección SQL por medio de la funcionalidad designer. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BA4DGF7KTQS6WA2DRNJSW66L43WB7LRV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5GW4KEMNCBQYZCIXEJYC42OEBBN2NSH https://security.gentoo.org/glsa/202003-39 https://www.phpmyadmin.net/security/PMASA-2019-5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 90%CPEs: 4EXPL: 3CVE-2019-12922 – phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-12922
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page. Un problema de tipo CSRF en phpMyAdmin versión 4.9.0.1, permite la eliminación de cualquier servidor en la página de Setup. phpMyAdmin version 4.9.0.1 suffers from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/47385 http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00078.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html http://packetstormsecurity.com/files/154483/phpMyAdmin-4.9.0.1-Cross-Site-Request-Forgery.html http://seclists.org/fulldisclosure/2019/Sep/23 https://github.com/phpmyadmin/phpmyadmin/commit/427fbed55d3154d96ecfc1c7784d49eaa3c04161 https://github.com/phpmyadmin/phpmyadmin/commit/7d21d4223bdbe0306593309132b4263d7087d13b https://lists.fed • CWE-352: Cross-Site Request Forgery (CSRF) •