Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2413-1 phpmyadmin

Debian Security Advisory

DLA-2413-1 phpmyadmin -- LTS security update

Date Reported:

26 Oct 2020

Affected Packages:

phpmyadmin

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 971999, Bug 972000.
In Mitre's CVE dictionary: CVE-2019-19617, CVE-2020-26934, CVE-2020-26935.

More information:

Several vulnerabilities were found in package phpmyadmin.

• CVE-2019-19617

  phpMyAdmin does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes /Footer.php.

• CVE-2020-26934

  A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature.

  If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

• CVE-2020-26935

  An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.

For Debian 9 stretch, these problems have been fixed in version 4.6.6-4+deb9u2.

We recommend that you upgrade your phpmyadmin packages.

For the detailed security status of phpmyadmin please refer to its security tracker page at: https://security-tracker.debian.org/tracker/phpmyadmin

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS