CVE-2020-10804
Description
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An SQL injection in phpMyAdmin (4.x before 4.9.5 and 5.x before 5.0.2) via crafted usernames allows attackers with server access to manipulate database queries.
Vulnerability
Overview
CVE-2020-10804 is an SQL injection vulnerability found in phpMyAdmin, a popular web-based MySQL administration tool. The flaw resides in the retrieval of the current username in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php. A malicious user with access to the server can create a specially-crafted username that, when processed by vulnerable phpMyAdmin versions, leads to SQL injection [1][2].
Exploitation
To exploit this vulnerability, an attacker must already have some level of access to the server (such as a database user account). The attacker creates a crafted username containing SQL injection payloads. Then, a victim (often another administrator) must be tricked into performing specific actions with that user account, such as editing its privileges [3][4]. The attack is not trivial, as it requires both server access and social engineering, but it can lead to serious consequences.
Impact
Successful exploitation allows the attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access, privilege escalation, or complete compromise of the database server. The vulnerability could also generate server errors for users with certain characters when they attempt to change their MySQL passwords [3][4].
Mitigation
The phpMyAdmin project has released patches and upgrades to address this issue. Users should upgrade to phpMyAdmin 4.9.5 or 5.0.2 or later. Patches are also available as commits in the official repository [3][4]. The vulnerability is considered moderately severe due to the specific preconditions required for exploitation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.9.0, < 4.9.5 | 4.9.5 |
phpmyadmin/phpmyadminPackagist | >= 5.0.0, < 5.0.2 | 5.0.2 |
Affected products
7- phpMyAdmin/phpMyAdmindescription
- osv-coords6 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP1
>= 4.0.0, < 4.9.5+ 5 more
- (no CPE)range: >= 4.0.0, < 4.9.5
- (no CPE)range: >= 4.9.0, < 4.9.5
- (no CPE)range: < 4.9.5-43.1
- (no CPE)range: < 4.9.5-43.1
- (no CPE)range: < 4.9.7-bp151.3.24.1
- (no CPE)range: < 4.9.5-bp151.3.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-h65r-8fp8-w7cxghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-10804ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-10804.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJKghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQOghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-2ghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-2/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.