Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2020:0405-1

Опубликовано: 29 мар. 2020
Источник: suse-cvrf

Описание

Security update for phpMyAdmin

This update for phpMyAdmin to version 4.9.5 fixes the following issues:

  • phpmyadmin was updated to 4.9.5:

  • CVE-2020-10804: Fixed an SQL injection in the user accounts page, particularly when changing a password (boo#1167335 PMASA-2020-2).

  • CVE-2020-10802: Fixed an SQL injection in the search feature (boo#1167336 PMASA-2020-3).

  • CVE-2020-10803: Fixed an SQL injection and XSS when displaying results (boo#1167337 PMASA-2020-4).

  • Removed the 'options' field for the external transformation.

Список пакетов

SUSE Package Hub 12
phpMyAdmin-4.9.5-43.1
openSUSE Leap 15.1
phpMyAdmin-4.9.5-43.1

Ссылки

Описание

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

Затронутые продукты
SUSE Package Hub 12:phpMyAdmin-4.9.5-43.1
openSUSE Leap 15.1:phpMyAdmin-4.9.5-43.1
Ссылки

Описание

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.

Затронутые продукты
SUSE Package Hub 12:phpMyAdmin-4.9.5-43.1
openSUSE Leap 15.1:phpMyAdmin-4.9.5-43.1
Ссылки

Описание

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).

Затронутые продукты
SUSE Package Hub 12:phpMyAdmin-4.9.5-43.1
openSUSE Leap 15.1:phpMyAdmin-4.9.5-43.1
Ссылки
Уязвимость openSUSE-SU-2020:0405-1