Miggo Logo

CVE-2019-18622:
SQL injection in phpMyAdmin

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.76756%
Published
1/16/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer< 4.9.24.9.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization of user-controlled database/table names in the designer feature. The commit diff shows:

  1. In move.js, database/table names were directly interpolated into HTML attributes (designer_url_table_name), which could later be sent to the server and used in SQL queries without escaping.
  2. In database_tables.twig, the |raw filter was removed, indicating server-side SQL queries previously used unescaped values. The combination of client-side DOM injection and server-side lack of escaping created an SQL injection vector. These functions directly handle user-provided names and propagate them into SQL contexts without adequate sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in p*pMy**min ***or* *.*.*. * *r**t** **t***s*/t**l* n*m* **n ** us** to tri***r * SQL inj**tion *tt**k t*rou** t** **si*n*r ***tur*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* us*r-*ontroll** **t***s*/t**l* n*m*s in t** **si*n*r ***tur*. T** *ommit *i** s*ows: *. In `mov*.js`, **t***s*/t**l* n*m*s w*r* *ir**tly int*rpol*t** into *TML *ttri*ut*s (`**si*n*r_url_t**l*_n*m*