Bitnami package

phpmyadmin

pkg:bitnami/phpmyadmin

Vulnerabilities (15)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-24530	Med	6.4	>= 5.0.0, < 5.2.2	5.2.2	Jan 23, 2025	An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
CVE-2025-24529	Med	6.4	>= 5.0.0, < 5.2.2	5.2.2	Jan 23, 2025	An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
CVE-2023-25727		—	< 4.9.11	4.9.11	Feb 13, 2023	In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.
CVE-2020-22452		—	>= 5.0.0, < 5.2.0	5.2.0	Jan 26, 2023	SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.
CVE-2022-0813		—	< 5.1.2	5.1.2	Mar 9, 2022	PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.
CVE-2022-23808		—	>= 5.1.0, < 5.1.2	5.1.2	Jan 22, 2022	An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
CVE-2022-23807		—	>= 4.9.0, < 4.9.8	4.9.8	Jan 22, 2022	An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
CVE-2020-22278		—	< 5.0.3	5.0.3	Nov 4, 2020	phpMyAdmin through 5.0.2 allows CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents.
CVE-2020-26934		—	>= 4.9.0, < 4.9.6	4.9.6	Oct 10, 2020	phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.
CVE-2020-26935		—	>= 4.9.0, < 4.9.6	4.9.6	Oct 10, 2020	An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
CVE-2020-11441		—	>= 5.0.2, < 5.0.3	5.0.3	Mar 31, 2020	phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page. NOTE: the vendor states "I don't see anything specifically exploitable.
CVE-2020-10802		—	>= 4.0.0, < 4.9.5	4.9.5	Mar 22, 2020	In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacke
CVE-2020-10803		—	>= 4.0.0, < 4.9.5	4.9.5	Mar 22, 2020	In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker m
CVE-2020-10804		—	>= 4.0.0, < 4.9.5	4.9.5	Mar 22, 2020	In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted
CVE-2020-5504		—	>= 4.0.0, < 4.9.4	4.9.4	Jan 9, 2020	In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

CVE-2025-24530MedJan 23, 2025
affected >= 5.0.0, < 5.2.2fixed 5.2.2
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
CVE-2025-24529MedJan 23, 2025
affected >= 5.0.0, < 5.2.2fixed 5.2.2
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
CVE-2023-25727Feb 13, 2023
affected < 4.9.11fixed 4.9.11
In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.
CVE-2020-22452Jan 26, 2023
affected >= 5.0.0, < 5.2.0fixed 5.2.0
SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.
CVE-2022-0813Mar 9, 2022
affected < 5.1.2fixed 5.1.2
PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.
CVE-2022-23808Jan 22, 2022
affected >= 5.1.0, < 5.1.2fixed 5.1.2
An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
CVE-2022-23807Jan 22, 2022
affected >= 4.9.0, < 4.9.8fixed 4.9.8
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
CVE-2020-22278Nov 4, 2020
affected < 5.0.3fixed 5.0.3
phpMyAdmin through 5.0.2 allows CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents.
CVE-2020-26934Oct 10, 2020
affected >= 4.9.0, < 4.9.6fixed 4.9.6
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.
CVE-2020-26935Oct 10, 2020
affected >= 4.9.0, < 4.9.6fixed 4.9.6
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
CVE-2020-11441Mar 31, 2020
affected >= 5.0.2, < 5.0.3fixed 5.0.3
phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page. NOTE: the vendor states "I don't see anything specifically exploitable.
CVE-2020-10802Mar 22, 2020
affected >= 4.0.0, < 4.9.5fixed 4.9.5
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacke
CVE-2020-10803Mar 22, 2020
affected >= 4.0.0, < 4.9.5fixed 4.9.5
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker m
CVE-2020-10804Mar 22, 2020
affected >= 4.0.0, < 4.9.5fixed 4.9.5
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted
CVE-2020-5504Jan 9, 2020
affected >= 4.0.0, < 4.9.4fixed 4.9.4
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.