Vulnerability CVE-2020-26934 - CERT Civis.Net

Vulnerability Name:

CVE-2020-26934 (CCN-189711)

Assigned:

2020-10-10

Published:

2020-10-10

Updated:

2021-01-28

Summary:

phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2020-26934

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:1675

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:1806

Source: XF
Type: UNKNOWN
phpmyadmin-cve202026934-xss(189711)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20201025 [SECURITY] [DLA 2413-1] phpmyadmin security update

Source: FEDORA
Type: Third Party Advisory
FEDORA-2020-43d8624421

Source: FEDORA
Type: Third Party Advisory
FEDORA-2020-eadda524a8

Source: FEDORA
Type: Third Party Advisory
FEDORA-2020-4e78c86902

Source: GENTOO
Type: Third Party Advisory
GLSA-202101-35

Source: CCN
Type: phpMyAdmin PMASA-2020-5
XSS relating to the transformation feature

Source: MISC
Type: Patch, Vendor Advisory
https://www.phpmyadmin.net/security/PMASA-2020-5/

Vulnerable Configuration:

Configuration 1:

cpe:/a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* (Version >= 4.9.0 and < 4.9.6)

OR cpe:/a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* (Version >= 5.0.0 and < 5.0.3)

Configuration 2:

cpe:/a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*

OR cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

OR cpe:/a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:phpmyadmin:phpmyadmin:2.2.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.2.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.2.7_pl1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.3.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.3.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.2_pl1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.5_pl1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.6_rc1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.6_rc2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.5.7_pl1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.6.1_pl1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.6.1_pl3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.6.1_rc1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.0:beta1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.0_dev:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.0:rc1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.0.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.0.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.0.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.1:rc1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.9.1:rc2:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.11.11:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.11.10.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.11.10.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.1.5:rc1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.0.1:rc1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.1.4:rc2:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.11.8.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.0.0:alpha:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.0.0:beta:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.1.0:beta1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.2.0:beta1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.2.1:rc1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.11.9.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.2.2:rc1:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.11.11.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:2.11.11.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.9.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.4.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.4.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.10:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.4.3.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.4.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.10.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.10.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.10.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.10.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.3.9.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.4.3.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:3.4.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.9.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:5.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:202026934	V	CVE-2020-26934	2022-06-30
oval:org.opensuse.security:def:113142	P	phpMyAdmin-5.1.1-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:64587	P	Security update for webkit2gtk3 (Important)	2021-10-12
oval:org.opensuse.security:def:106570	P	phpMyAdmin-5.1.1-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:63198	P	bind-9.11.2-12.8.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:64761	P	Security update for java-11-openjdk (Important)	2021-09-03
oval:org.opensuse.security:def:64561	P	Security update for libmspack (Moderate)	2021-08-20
oval:org.opensuse.security:def:63512	P	python2-ecdsa-0.13.3-3.7.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63316	P	apache2-mod_auth_openidc-2.3.8-3.7.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63374	P	sca-patterns-sle12-1.0.2-1.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62742	P	flatpak-1.10.2-4.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:74653	P	Security update for go1.15 (Moderate)	2021-07-19
oval:org.opensuse.security:def:63538	P	gnome-photos-3.26.3-2.41 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64517	P	Security update for polkit (Important)	2021-06-03
oval:org.opensuse.security:def:74627	P	Security update for the Linux Kernel (Important)	2021-04-16
oval:org.opensuse.security:def:64654	P	Security update for avahi (Moderate)	2021-02-23
oval:org.opensuse.security:def:64653	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:64475	P	Security update for open-iscsi (Important)	2021-01-14
oval:org.opensuse.security:def:64449	P	Security update for clamav (Moderate)	2020-12-14
oval:org.opensuse.security:def:100254	P	(Moderate)	2020-12-09
oval:org.opensuse.security:def:63609	P	bluez-cups-5.48-11.58 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62893	P	checkbashisms-2.15.1-1.49 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63113	P	cloud-init-19.4-8.20.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63400	P	nodejs10-10.15.2-1.6.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63138	P	389-ds-1.4.0.3-2.39 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63110	P	rmt-server-pubcloud-1.2.2-1.15 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62919	P	perl-Net-Libproxy-0.4.15-2.42 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62692	P	libplist++-devel-2.0.0-1.31 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63172	P	nginx-1.14.0-1.14 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62693	P	libpotrace0-1.15-3.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62716	P	python3-bottle-0.12.13-1.26 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63106	P	python3-paramiko-2.4.1-1.15 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62719	P	sane-backends-1.0.27-4.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:64407	P	libxml2-2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64065	P	Security update for java-1_8_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:26458	P	Security update for phpMyAdmin (Moderate)	2020-12-01
oval:org.opensuse.security:def:25387	P	Security update for shim (Moderate)	2020-12-01
oval:org.opensuse.security:def:25764	P	Security update for webkitgtk (Moderate)	2020-12-01
oval:org.opensuse.security:def:25124	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:64305	P	libXinerama-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25623	P	Security update for cifs-utils (Moderate)	2020-12-01
oval:org.opensuse.security:def:75108	P	Security update for phpMyAdmin (Important)	2020-12-01
oval:org.opensuse.security:def:64188	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:74501	P	Security update for pdns-recursor (Moderate)	2020-12-01
oval:org.opensuse.security:def:25776	P	Security update for flash-player (Critical)	2020-12-01
oval:org.opensuse.security:def:25249	P	Security update for librsvg (Moderate)	2020-12-01
oval:org.opensuse.security:def:64433	P	perl-DBD-mysql on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25674	P	Security update for the Linux Kernel (Moderate)	2020-12-01
oval:org.opensuse.security:def:25049	P	Security update for accountsservice (Moderate)	2020-12-01
oval:org.opensuse.security:def:64091	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:26460	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:25389	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:65033	P	Security update for openldap2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:63812	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:64331	P	libical2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25058	P	Security update for gdb (Moderate)	2020-12-01
oval:org.opensuse.security:def:64199	P	ruby2.5-rubygem-loofah on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26493	P	Security update for phpMyAdmin (Important)	2020-12-01
oval:org.opensuse.security:def:25471	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:74527	P	Security update for targetcli-fb (Moderate)	2020-12-01
oval:org.opensuse.security:def:25778	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:25251	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:64863	P	Security update for wavpack (Low)	2020-12-01
oval:org.opensuse.security:def:25676	P	Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)	2020-12-01
oval:org.opensuse.security:def:63738	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25820	P	Security update for xerces-c (Moderate)	2020-12-01
oval:org.opensuse.security:def:25330	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:25060	P	Security update for libssh2_org (Moderate)	2020-12-01
oval:org.opensuse.security:def:64225	P	ceph-common on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26495	P	Security update for phpMyAdmin (Important)	2020-12-01
oval:org.opensuse.security:def:25473	P	Security update for strongswan (Important)	2020-12-01
oval:org.opensuse.security:def:74975	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:63959	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:25762	P	Security update for Xerces-C (Moderate)	2020-12-01
oval:org.opensuse.security:def:25122	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:25621	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:25047	P	Security update for sysstat (Moderate)	2020-12-01
oval:org.opensuse.security:def:63764	P	Security update for openjpeg2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25822	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:25332	P	Security update for sane-backends (Important)	2020-12-01
oval:org.opensuse.security:def:64921	P	Security update for gcc9 (Moderate)	2020-12-01
oval:org.opensuse.security:def:100247	P	(Moderate)	2020-11-23
oval:org.opensuse.security:def:93541	P	Security update for phpMyAdmin (Important)	2020-11-01
oval:org.opensuse.security:def:110277	P	Security update for phpMyAdmin (Important)	2020-11-01
oval:org.opensuse.security:def:103067	P	Security update for phpMyAdmin (Important)	2020-10-16
oval:org.opensuse.security:def:96377	P	Security update for phpMyAdmin (Important)	2020-10-16
oval:org.opensuse.security:def:110251	P	Security update for phpMyAdmin (Important)	2020-10-16
oval:org.opensuse.security:def:109724	P	Security update for phpMyAdmin (Important)	2020-10-16
oval:org.opensuse.security:def:93534	P	Security update for phpMyAdmin (Important)	2020-10-16
oval:org.opensuse.security:def:110803	P	Security update for phpMyAdmin (Important)	2020-10-16