Описание
Security update for phpMyAdmin
This update for phpMyAdmin fixes the following issues:
phpMyAdmin was updated to 4.9.7 (boo#1177842):
- Fix two factor authentication that was broken in 4.9.6
- Fix incompatibilities with older PHP versions
Update to 4.9.6:
- Fixed XSS relating to the transformation feature (boo#1177561 CVE-2020-26934, PMASA-2020-5)
- Fixed SQL injection vulnerability in SearchController (boo#1177562 CVE-2020-26935, PMASA-2020-6)
Update to 4.9.5:
This is a security release containing several bug fixes.
- CVE-2020-10804: SQL injection vulnerability in the user accounts page, particularly when changing a password (boo#1167335, PMASA-2020-2)
- CVE-2020-10802: SQL injection vulnerability relating to the search feature (boo#1167336, PMASA-2020-3)
- CVE-2020-10803: SQL injection and XSS having to do with displaying results (boo#1167337, PMASA-2020-4)
- Removing of the 'options' field for the external transformation.
Список пакетов
SUSE Package Hub 12
SUSE Package Hub 15
SUSE Package Hub 15 SP1
openSUSE Leap 15.1
Ссылки
- E-Mail link for openSUSE-SU-2020:1806-1
- SUSE Security Ratings
- SUSE Bug 1167335
- SUSE Bug 1167336
- SUSE Bug 1167337
- SUSE Bug 1177561
- SUSE Bug 1177562
- SUSE Bug 1177842
- SUSE CVE CVE-2020-10802 page
- SUSE CVE CVE-2020-10803 page
- SUSE CVE CVE-2020-10804 page
- SUSE CVE CVE-2020-26934 page
- SUSE CVE CVE-2020-26935 page
Описание
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.
Затронутые продукты
Ссылки
- CVE-2020-10802
- SUSE Bug 1167336
Описание
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.
Затронутые продукты
Ссылки
- CVE-2020-10803
- SUSE Bug 1167337
Описание
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).
Затронутые продукты
Ссылки
- CVE-2020-10804
- SUSE Bug 1167335
Описание
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.
Затронутые продукты
Ссылки
- CVE-2020-26934
- SUSE Bug 1177561
Описание
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
Затронутые продукты
Ссылки
- CVE-2020-26935
- SUSE Bug 1177562