Miggo Logo
Miggo Vulnerability Database
CVE-2020-26935

CVE-2020-26935: phpMyAdmin SQL injection vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-26935
GHSA ID
GHSA-7ff4-cv53-4cjq
EPSS Score
0.99048%
CWE
CWE-89
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer>= 4.9.0, < 4.9.64.9.6
phpmyadmin/phpmyadmincomposer>= 5.0.0, < 5.0.35.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references SearchController as the origin point, and the CWE-89 classification indicates direct SQL injection via unsanitized input. The patch commit d09ab9bc9d634ad08b866d42bb8c4109869d38d2 (referenced in PMASA-2020-6) specifically modifies SQL query construction logic in the search feature. This function would handle user input for table searches and build SQL queries dynamically, making it the most likely candidate for improper neutralization of special elements.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in S**r***ontroll*r in p*pMy**min ***or* *.*.* *n* *.x ***or* *.*.*. * SQL inj**tion vuln*r**ility w*s *is*ov*r** in *ow p*pMy**min pro**ss*s SQL st*t*m*nts in t** s**r** ***tur*. *n *tt**k*r *oul* us* t*is *l*w to inj**t m*li

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s S**r***ontroll*r *s t** ori*in point, *n* t** *W*-** *l*ssi*i**tion in*i**t*s *ir**t SQL inj**tion vi* uns*nitiz** input. T** p*t** *ommit `****************************************` (r***r*n*** in `PM*S*-****-*