SB2019112306 - SQL injection in phpMyAdmin
Published: November 23, 2019 Updated: January 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2019-18622)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the database name in the designer feature. A remote attacker can execute arbitrary SQL queries in database via a specially crafted database name.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
2) Stored cross-site scripting (CVE-ID: CVE-2019-19617)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of certain GIT information in libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php scrips. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://www.phpmyadmin.net/security/PMASA-2019-5/
- https://github.com/phpmyadmin/phpmyadmin/commit/1119de642b136d20e810bb20f545069a01dd7cc9
- https://github.com/phpmyadmin/phpmyadmin/compare/RELEASE_4_9_1...RELEASE_4_9_2
- https://lists.debian.org/debian-lts-announce/2019/12/msg00006.html
- https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released/