Debian Security Advisory

DLA-2413-1 phpmyadmin -- LTS security update

Date Reported:
26 Oct 2020
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 971999, Bug 972000.
In Mitre's CVE dictionary: CVE-2019-19617, CVE-2020-26934, CVE-2020-26935.
More information:

Several vulnerabilities were found in package phpmyadmin.

  • CVE-2019-19617

    phpMyAdmin does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes /Footer.php.

  • CVE-2020-26934

    A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature.

    If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

  • CVE-2020-26935

    An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.

For Debian 9 stretch, these problems have been fixed in version 4.6.6-4+deb9u2.

We recommend that you upgrade your phpmyadmin packages.

For the detailed security status of phpmyadmin please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: