CVE-2019-18622:
SQL injection in phpMyAdmin
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76756%
CWE
Published
1/16/2020
Updated
1/9/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpmyadmin/phpmyadmin | composer | < 4.9.2 | 4.9.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper sanitization of user-controlled database/table names in the designer feature. The commit diff shows:
- In
move.js
, database/table names were directly interpolated into HTML attributes (designer_url_table_name
), which could later be sent to the server and used in SQL queries without escaping. - In
database_tables.twig
, the|raw
filter was removed, indicating server-side SQL queries previously used unescaped values. The combination of client-side DOM injection and server-side lack of escaping created an SQL injection vector. These functions directly handle user-provided names and propagate them into SQL contexts without adequate sanitization.