PublicDateAtUSN: 2020-10-10 19:15:00 UTC
Candidate: CVE-2020-26934
PublicDate: 2020-10-10 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26934
 https://www.phpmyadmin.net/security/PMASA-2020-5/
 https://github.com/phpmyadmin/phpmyadmin/commit/19df63b0365621427697edc185ff7c9c5707c523
 https://ubuntu.com/security/notices/USN-4639-1
Description:
 phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the
 transformation feature via a crafted link.
Ubuntu-Description:
 It was discovered that phpMyAdmin was vulnerable to an XSS attack. If a victim
 were to click on a crafted link, an attacker could run malicious JavaScript on
 the victim's system.
Notes:
 mdeslaur> vulerability was introduced in 2.5.0. File where issue is
 mdeslaur> is different in bionic and earlier.
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971999
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_phpmyadmin:
upstream_phpmyadmin: needs-triage
precise/esm_phpmyadmin: DNE
trusty_phpmyadmin: ignored (out of standard support)
trusty/esm_phpmyadmin: needs-triage
xenial_phpmyadmin: ignored (end of standard support, was needed)
bionic_phpmyadmin: released (4:4.6.6-5ubuntu0.5)
focal_phpmyadmin: needed
groovy_phpmyadmin: not-affected (4:4.9.7+dfsg1-1)
hirsute_phpmyadmin: not-affected (4:4.9.7+dfsg1-1)
impish_phpmyadmin: not-affected (4:4.9.7+dfsg1-1)
jammy_phpmyadmin: not-affected (4:4.9.7+dfsg1-1)
devel_phpmyadmin: not-affected (4:4.9.7+dfsg1-1)