phpMyAdmin 4.7.4 SQL injection vulnerability

  • Hi,


    phpMyAdmin 4.7.4, which is part of my i-MSCP 1.5.3 installation, is affected by an SQL injection vulnerability (CVE-2020-5504).


    What is the upgrading policy or best-practice for 3rd-party apps like pma, ftp, and so on?


    Best regards, Sven.

  • You can manually update the packages. Some changes might brake the installation like mysql 5 to 8 (at least some guys got issues with that).

    So I wouldnt recommend that unless you seriously need to. Its possible that Nuxwin will do something about it.

    But for that exploit to happen, you need a valid account.


    Its located in:

    Code
    1. /var/www/imscp/gui/public/tools/pma

    and

    Code
    1. /etc/imscp/pma

    The second one should be the config only.


    If you want to do an update, backup the files first.