CVE-2020-26934
Published: 10 October 2020
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.
From the Ubuntu security team
It was discovered that phpMyAdmin was vulnerable to an XSS attack. If a victim were to click on a crafted link, an attacker could run malicious JavaScript on the victim's system.
Priority
Medium
CVSS 3 base score: 6.1
Status
| Package | Release | Status |
|---|---|---|
|
phpmyadmin Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Needed
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(4:4.6.6-5ubuntu0.5)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(end of standard support, was needed)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needs triage
|
Notes
| Author | Note |
|---|---|
| mdeslaur | vulerability was introduced in 2.5.0. File where issue is is different in bionic and earlier. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26934
- https://www.phpmyadmin.net/security/PMASA-2020-5/
- https://github.com/phpmyadmin/phpmyadmin/commit/19df63b0365621427697edc185ff7c9c5707c523
- https://ubuntu.com/security/notices/USN-4639-1
- NVD
- Launchpad
- Debian