DNA View

CVE-2020-10803

Medium

Low Medium High Critical

5.4

CVSS Score

Published: Mar 22, 2020

Last Modified: Nov 21, 2024

CWE: CWE-79

Vulnerability Description

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

7 configuration(s) from 4 vendor(s)

debian_linux

Version:

8.0

CPE:

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

backports_sle

Version:

15.0

CPE:

cpe:2.3:a:opensuse:backports_sle:15.0:sp3:*:*:*:*:*:*

leap

Version:

15.1

CPE:

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

package_hub

Version:

CPE:

cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*

This vulnerability affects 7 software configuration(s). Ensure you patch all affected systems.

References & Resources

Severity Details

5.4

out of 10.0

Medium

Weakness Type (CWE)

CWE-79 Top 25 #1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description: The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Exploit Likelihood: High
Typical Severity: Medium
OWASP Top 10: A03:2021-Injection
Abstraction Level: Base