CVE-2020-10804: 
PHP vulnerability analysis and mitigation

CVE-2020-10804 is a SQL injection vulnerability discovered in phpMyAdmin versions 4.x before 4.9.5 and 5.x before 5.0.2. The vulnerability was found in the retrieval of the current username functionality, specifically in the libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php files. The issue was disclosed on March 22, 2020, and was assigned a CVSS v3.1 base score of 8.0 (High) (NVD).

The vulnerability exists in how phpMyAdmin retrieves the current username. The affected code paths are in the Server/Privileges.php and UserPassword.php files. The issue received a CVSS v3.1 base score of 8.0 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability. The vulnerability is classified as CWE-89 (SQL Injection) (NVD, phpMyAdmin).

If exploited, this vulnerability allows a malicious user with access to the server to create a specially-crafted username and then trick victims into performing specific actions with that user account, such as editing its privileges. The flaw could also generate server errors for users with certain characters who try to change their MySQL passwords (phpMyAdmin).

The recommended mitigation is to upgrade to phpMyAdmin version 4.9.5 or 5.0.2 or newer. Patches were released in commits 89fbcd7c39e6b3979cdb2f64aa4cd5f4db27eaad and 3258978c38bee8cb4b99f249dffac9c8aaea2d80 to fix this issue (phpMyAdmin).