{"id":"CVE-2020-5504","details":"In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.","aliases":["BIT-phpmyadmin-2020-5504","GHSA-fgj8-93xx-f6g6"],"modified":"2026-04-16T04:38:14.860815218Z","published":"2020-01-09T22:15:13.863Z","related":["openSUSE-SU-2020:0056-1","openSUSE-SU-2024:11171-1"],"references":[{"type":"WEB","url":"https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-5504.md"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00011.html"},{"type":"FIX","url":"https://www.phpmyadmin.net/security/PMASA-2020-1/"},{"type":"EVIDENCE","url":"https://cybersecurityworks.com/zerodays/cve-2020-5504-phpmyadmin.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpmyadmin/phpmyadmin","events":[{"introduced":"6da64cc3b2ba4439574f914f51e161645375be96"},{"fixed":"b732639282104efbc42b3bc040e532649d93a1fe"},{"introduced":"c124aacc32329f69f3e8189c61c5d82f6d9fcd47"},{"fixed":"645989e87a22c46196fa7e1afae638dc07353bdf"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"fixed":"4.9.4"},{"introduced":"5.0.0"},{"fixed":"5.0.1"}]}}],"versions":["RELEASE_5_0_0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5504.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}