CVE-2019-18622

moderate-risk
Published 2019-11-22

An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.

Do I need to act?

-
0.74% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 4e615cc5e5165de4663bb2510ffaf97bc953e718
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (7)

Affected Vendors

Phpmyadmin Fedoraproject Opensuse

References (12)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://security.gentoo.org/glsa/202003-39
Patch https://www.phpmyadmin.net/security/PMASA-2019-5/
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://security.gentoo.org/glsa/202003-39
Patch https://www.phpmyadmin.net/security/PMASA-2019-5/
48
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 14/34 · Moderate