Security update for phpMyAdmin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1675-1 Final 1 1 2020-10-16T12:23:05Z current 2020-10-16T12:23:05Z 2020-10-16T12:23:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for phpMyAdmin This update for phpMyAdmin fixes the following issues: - phpMyAdmin was updated to 4.9.6 * CVE-2020-26934: Fixed an XSS relating to the transformation feature (boo#1177561). * CVE-2020-26935: Fixed an SQL injection in SearchController (boo#1177562). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1675 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IQ7OUJYMDUNUBPRBTEK6DBC7JLFD3ZZA/ E-Mail link for openSUSE-SU-2020:1675-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1177561 SUSE Bug 1177561 https://bugzilla.suse.com/1177562 SUSE Bug 1177562 https://www.suse.com/security/cve/CVE-2020-26934/ SUSE CVE CVE-2020-26934 page https://www.suse.com/security/cve/CVE-2020-26935/ SUSE CVE CVE-2020-26935 page SUSE Package Hub 12 SUSE Package Hub 15 SP1 SUSE Package Hub 15 SP2 openSUSE Leap 15.1 openSUSE Leap 15.2 phpMyAdmin-4.9.6-bp152.2.3.1 phpMyAdmin-4.9.6-bp152.2.3.1 as a component of SUSE Package Hub 12 phpMyAdmin-4.9.6-bp152.2.3.1 as a component of SUSE Package Hub 15 SP1 phpMyAdmin-4.9.6-bp152.2.3.1 as a component of SUSE Package Hub 15 SP2 phpMyAdmin-4.9.6-bp152.2.3.1 as a component of openSUSE Leap 15.1 phpMyAdmin-4.9.6-bp152.2.3.1 as a component of openSUSE Leap 15.2 phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. CVE-2020-26934 SUSE Package Hub 12:phpMyAdmin-4.9.6-bp152.2.3.1 SUSE Package Hub 15 SP1:phpMyAdmin-4.9.6-bp152.2.3.1 SUSE Package Hub 15 SP2:phpMyAdmin-4.9.6-bp152.2.3.1 openSUSE Leap 15.1:phpMyAdmin-4.9.6-bp152.2.3.1 openSUSE Leap 15.2:phpMyAdmin-4.9.6-bp152.2.3.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IQ7OUJYMDUNUBPRBTEK6DBC7JLFD3ZZA/ https://www.suse.com/security/cve/CVE-2020-26934.html CVE-2020-26934 https://bugzilla.suse.com/1177561 SUSE Bug 1177561 An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. CVE-2020-26935 SUSE Package Hub 12:phpMyAdmin-4.9.6-bp152.2.3.1 SUSE Package Hub 15 SP1:phpMyAdmin-4.9.6-bp152.2.3.1 SUSE Package Hub 15 SP2:phpMyAdmin-4.9.6-bp152.2.3.1 openSUSE Leap 15.1:phpMyAdmin-4.9.6-bp152.2.3.1 openSUSE Leap 15.2:phpMyAdmin-4.9.6-bp152.2.3.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IQ7OUJYMDUNUBPRBTEK6DBC7JLFD3ZZA/ https://www.suse.com/security/cve/CVE-2020-26935.html CVE-2020-26935 https://bugzilla.suse.com/1177562 SUSE Bug 1177562