8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-10802

GHSA ID

GHSA-f4cr-3xmc-2wpm

EPSS Score

0.82739%

CWE

CWE-89

Published

5/24/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-10802

CVE-2020-10802: phpMyAdmin SQL injection vulnerability

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

(GitHub Advisory)

8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-10802

GHSA ID

GHSA-f4cr-3xmc-2wpm

EPSS Score

0.82739%

CWE

CWE-89

Published

5/24/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phpmyadmin/phpmyadmin	composer	>= 4.9.0, < 4.9.5	4.9.5
phpmyadmin/phpmyadmin	composer	>= 5.0.0, < 5.0.2	5.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly occurs in TableSearchController.php during query generation for search actions. The advisory states parameters weren't properly escaped when building queries, and the CWE-89 classification confirms SQL injection. The commit a8acd7a42cf referenced in PMASA-2020-3 likely fixed parameter handling in this controller's query construction logic. Though exact pre-patch code isn't shown, the file path and functionality described match the SQL injection vector through unescaped database/table name parameters during search operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In p*pMy**min *.x ***or* *.*.* *n* *.x ***or* *.*.*, * SQL inj**tion vuln*r**ility **s ***n *is*ov*r** w**r* **rt*in p*r*m*t*rs *r* not prop*rly *s**p** w**n **n*r*tin* **rt*in qu*ri*s *or s**r** **tions in li*r*ri*s/*l*ss*s/*ontroll*rs/T**l*/T**l*S*

Reasoning

T** vuln*r**ility *xpli*itly o**urs in `T**l*S**r***ontroll*r.p*p` *urin* qu*ry **n*r*tion *or s**r** **tions. T** **visory st*t*s p*r*m*t*rs w*r*n't prop*rly *s**p** w**n *uil*in* qu*ri*s, *n* t** *W*-** *l*ssi*i**tion *on*irms SQL inj**tion. T** *o

8

Basic Information

Concerned about an active attack path?

CVE-2020-10802: phpMyAdmin SQL injection vulnerability

8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI