USN-4639-1

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/notices/USN-4639-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4639-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/USN-4639-1
Related
Published
2020-11-19T15:01:30.517730Z
Modified
2020-11-19T15:01:30.517730Z
Summary
phpmyadmin vulnerabilities
Details

It was discovered that there was a bug in the way phpMyAdmin handles the phpMyAdmin Configuration Storage tables. An authenticated attacker could use this vulnerability to cause phpmyAdmin to leak sensitive files. (CVE-2018-19968)

It was discovered that phpMyAdmin incorrectly handled user input. An attacker could possibly use this for an XSS attack. (CVE-2018-19970)

It was discovered that phpMyAdmin mishandled certain input. An attacker could use this vulnerability to execute a cross-site scripting (XSS) attack via a crafted URL. (CVE-2018-7260)

It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted database name. (CVE-2019-11768)

It was discovered that phpmyadmin incorrectly handled some requests. An attacker could possibly use this to perform a CSRF attack. (CVE-2019-12616)

It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted username. (CVE-2019-6798, CVE-2020-10804, CVE-2020-5504)

It was discovered that phpMyAdmin would allow sensitive files to be leaked if certain configuration options were set. An attacker could use this vulnerability to access confidential information. (CVE-2019-6799)

It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted database or table name. (CVE-2020-10802)

It was discovered that phpMyAdmin did not properly handle data from the database when displaying it. If an attacker were to insert specially- crafted data into certain database tables, the attacker could execute a cross-site scripting (XSS) attack. (CVE-2020-10803)

It was discovered that phpMyAdmin was vulnerable to an XSS attack. If a victim were to click on a crafted link, an attacker could run malicious JavaScript on the victim's system. (CVE-2020-26934)

It was discovered that phpMyAdmin did not properly handler certain SQL statements in the search feature. An attacker could use this vulnerability to inject malicious SQL into a query. (CVE-2020-26935)

It was discovered that phpMyAdmin did not properly sanitize certain input. An attacker could use this vulnerability to possibly execute an HTML injection or a cross-site scripting (XSS) attack. (CVE-2019-19617)

References

Affected packages

Ubuntu:18.04:LTS / phpmyadmin

Package

Name
phpmyadmin
Purl
pkg:deb/ubuntu/phpmyadmin?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4:4.6.6-5ubuntu0.5

Affected versions

4:4.*

4:4.6.6-5

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "4:4.6.6-5ubuntu0.5",
            "binary_name": "phpmyadmin"
        }
    ]
}