CVE-2020-5504

HIGH

phpMyAdmin <4.9.4-5.0.1 - SQL Injection

Title source: llm

Description

In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

Exploits (2)

nomisec WORKING POC 1 stars

by xMohamed0 · poc

https://github.com/xMohamed0/CVE-2020-5504-phpMyAdmin

View Code ZIP pw:eip

exploitdb WORKING POC

by CodeSecLab · textwebappsphp

https://www.exploit-db.com/exploits/52451

View Code ZIP pw:eip

References (5)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html

[Exploit, Third Party Advisory] https://cybersecurityworks.com/zerodays/cve-2020-5504-phpmyadmin.html

[Various Sources] https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-5504.md

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/01/msg00011.html

[Patch, Vendor Advisory] https://www.phpmyadmin.net/security/PMASA-2020-1/

Scores

CVSS v3 8.8

EPSS 0.2314

EPSS Percentile 95.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-89

Status published

Affected Products (4)

phpmyadmin/phpmyadmin < 4.9.4

suse/suse_linux_enterprise_server

debian/debian_linux

phpmyadmin/phpmyadmin < 4.9.4Packagist

Timeline

Published Jan 09, 2020

Tracked Since Feb 18, 2026