An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://www.phpmyadmin.net/security/PMASA-2019-5/ | patch vendor advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BA4DGF7KTQS6WA2DRNJSW66L43WB7LRV/ | vendor advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5GW4KEMNCBQYZCIXEJYC42OEBBN2NSH/ | vendor advisory |
| http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00002.html | mailing list third party advisory vendor advisory |
| http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html | vendor advisory |
| https://security.gentoo.org/glsa/202003-39 | vendor advisory |