Professional Content Management

Free and open source, TYPO3 CMS is the most widely used enterprise-level CMS.

Test TYPO3 now:

TYPO3 live demo

Inspire people to share

Offer your skills and contribute to the project. The community is growing and does more than just coding. 

A Community Effort

TYPO3 CMS is an Open Source project managed by the TYPO3 Association.

The Project

Do you have a question?

Ask the community or a professional partner.

Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin)

Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "phpmyadmin" (phpmyadmin) is susceptible to SQL Injection and Cross-Site Scripting.
  • Release Date: November 17, 2020
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: phpMyAdmin (phpmyadmin)
  • Vulnerability Type: SQL Injection, Cross-Site Scripting
  • Affected Versions: 5.6.3 and below
  • Severity: Medium
  • Suggested CVSS v3.1: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • References: CVE-2020-26934, CVE-2020-26935

Problem Description

Multiple vulnerabilities have been found in the phpMyAdmin component.

  • PMASA-2020-5 - XSS relating to the transformation feature
  • PMASA-2020-6 - SQL injection vulnerability in SearchController

Solution

An updated version 5.6.4  is available from the TYPO3 extension manager, Packagist and at
https://extensions.typo3.org/extension/download/phpmyadmin/5.6.4/zip/.
Users of the extension are advised to update the extension as soon as possible. 

Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites.

Credits

Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Latest news

Show more