CVE-2020-10803
Description
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SQL injection vulnerability in phpMyAdmin allows attackers to trigger a stored XSS attack by inserting crafted data into database tables, affecting versions before 4.9.5 and 5.0.2.
Vulnerability
Overview
CVE-2020-10803 is a SQL injection vulnerability in phpMyAdmin that can be exploited to achieve stored cross-site scripting (XSS). The flaw resides in the handling of database query results within tbl_get_field.php and libraries/classes/Display/Results.php. When a user retrieves data from a database table (e.g., via the Browse tab), malicious SQL code injected into the database can be executed, leading to XSS when the results are displayed [1][4].
Exploitation
Requirements
An attacker must have the ability to insert specially crafted data into certain database tables accessible through phpMyAdmin. This typically requires some level of database write access. When the victim (e.g., another phpMyAdmin user) views the tainted data, the malicious SQL payload is processed, and the resulting output triggers an XSS attack in the victim's browser [4]. The attack does not require direct interaction with the SQL query interface—it leverages the normal data display functionality.
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the phpMyAdmin session of the victim. This could lead to session hijacking, data exfiltration, or further compromise of the database server, depending on the privileges of the victim. The vulnerability is classified as moderate severity by the phpMyAdmin team [4].
Mitigation
The vulnerability affects phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, with the flaw believed to have been introduced in version 3.4. Users should upgrade to phpMyAdmin 4.9.5 or 5.0.2 or later. The fix is also available via specific git commits (e.g., 46a7aa7cd4ff2be0eeb23721fbf71567bebe69a5) [4]. No workarounds are documented; upgrading is the recommended remediation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 3.4, < 4.9.5 | 4.9.5 |
phpmyadmin/phpmyadminPackagist | >= 5.0.0, < 5.0.2 | 5.0.2 |
Affected products
7- phpMyAdmin/phpMyAdmindescription
- osv-coords6 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP1
>= 4.0.0, < 4.9.5+ 5 more
- (no CPE)range: >= 4.0.0, < 4.9.5
- (no CPE)range: >= 3.4, < 4.9.5
- (no CPE)range: < 4.9.5-43.1
- (no CPE)range: < 4.9.5-43.1
- (no CPE)range: < 4.9.7-bp151.3.24.1
- (no CPE)range: < 4.9.5-bp151.3.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-fcww-8wvc-38q9ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-10803ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-10803.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2020/03/msg00028.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJKghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQOghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-4ghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-4/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.