CVE-2020-10802: 
PHP vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2020-10802) was discovered in phpMyAdmin versions 4.x before 4.9.5 and 5.x before 5.0.2. The vulnerability exists in the search feature where certain parameters are not properly escaped when generating queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. The vulnerability was disclosed on March 22, 2020, affecting all phpMyAdmin installations within the vulnerable version range (PhpMyAdmin Advisory).

The vulnerability occurs when certain parameters are not properly escaped during query generation for search actions. An attacker can exploit this by crafting malicious database or table names. The attack can be executed when a user attempts specific search operations on the compromised database or table. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow an attacker to perform SQL injection attacks through specially crafted database or table names. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the system. The vulnerability requires user interaction to trigger the malicious search operations (PhpMyAdmin Advisory).

Users are advised to upgrade to phpMyAdmin versions 4.9.5 or 5.0.2 or newer to address this vulnerability. A patch has also been made available through commit a8acd7a42cf743186528b0453f90aaa32bfefabe for those unable to upgrade immediately (PhpMyAdmin Advisory).