phpMyAdmin SQL injection in user accounts page
High severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Apr 24, 2024
Package
Affected versions
>= 4.0.0, < 4.9.4
>= 5.0.0, < 5.0.1
Patched versions
4.9.4
5.0.1
Description
Published by the National Vulnerability Database
Jan 9, 2020
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Apr 24, 2024
Last updated
Apr 24, 2024
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
References