- Release Date: May 12, 2020
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: phpMyAdmin (ext:phpmyadmin)
- Vulnerability Type: SQL Injection
- Affected Versions: 5.6.1 and below
- Severity: High
- Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- References: CVE-2020-10802, CVE-2020-10803 and CVE-2020-10804
Problem Description
Multiple vulnerabilities have been found in the phpMyAdmin component.
- PMASA-2020-2 - SQL injection with processing username
- PMASA-2020-3 - SQL injection relating to searching
- PMASA-2020-4 - SQL injection relating to data display
Solution
An updated version 5.6.2 is available from the TYPO3 extension manager and at
https://extensions.typo3.org/extension/download/phpmyadmin/5.6.2/zip/
Users of the extension are advised to update the extension as soon as possible.
Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites.
Credits
Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.