CVE-2020-10802
Description
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-10802 is a SQL injection in phpMyAdmin's table search controller, exploitable via crafted database/table names and patched in versions 4.9.5 and 5.0.2.
Vulnerability
Overview
CVE-2020-10802 is a SQL injection vulnerability found in phpMyAdmin, affecting versions 4.x before 4.9.5 and 5.x before 5.0.2. The flaw resides in libraries/classes/Controllers/Table/TableSearchController.php, where certain parameters are not properly escaped when generating queries for search actions [1][4]. An attacker can exploit this by creating a database or table with a specially crafted name that, when a user performs a search operation on that database or table, leads to malicious SQL being injected into the query [4].
Exploitation
To exploit this vulnerability, an attacker must first have the ability to create database objects (databases or tables) in the target phpMyAdmin instance. This could be achieved if the attacker has legitimate database creation privileges or through some other mechanism. The attack is then triggered when a user (such as an administrator) performs a search operation on the maliciously named database or table [4]. The crafted name is injected into the SQL query without proper sanitization, allowing the attacker to execute arbitrary SQL commands. The vulnerability is classified as moderate severity because it requires specific preconditions (creating a malicious database/table and a user performing a search) [4].
Impact
Successful exploitation allows an attacker to perform arbitrary SQL injection, potentially reading, modifying, or deleting data in the underlying MySQL database. The attacker could also potentially gain further access or escalate privileges depending on the database permissions. Given that phpMyAdmin is often used with administrative privileges, this could lead to full compromise of the database server.
Mitigation
The phpMyAdmin project has addressed CVE-2020-10802 in versions 4.9.5 and 5.0.2 [4]. Users are strongly advised to upgrade to these versions or later. Patches are also available in the form of specific commits to the codebase [4]. There are no known workarounds; upgrading is the recommended remediation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.9.0, < 4.9.5 | 4.9.5 |
phpmyadmin/phpmyadminPackagist | >= 5.0.0, < 5.0.2 | 5.0.2 |
Affected products
7- phpMyAdmin/phpMyAdmindescription
- osv-coords6 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP1
>= 4.0.0, < 4.9.5+ 5 more
- (no CPE)range: >= 4.0.0, < 4.9.5
- (no CPE)range: >= 4.9.0, < 4.9.5
- (no CPE)range: < 4.9.5-43.1
- (no CPE)range: < 4.9.5-43.1
- (no CPE)range: < 4.9.7-bp151.3.24.1
- (no CPE)range: < 4.9.5-bp151.3.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-f4cr-3xmc-2wpmghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-10802ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-10802.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2020/03/msg00028.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJKghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQOghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-3ghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-3/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.