ELA-911-1 phpmyadmin security update

sql injection

2023-08-02
Packagephpmyadmin
Version4:4.6.6-4+deb9u3 (stretch)
Related CVEs CVE-2020-22452 CVE-2023-25727


phpMyAdmin is a popular MySQL web administration tool. The following security vulnerabilities have been addressed:

CVE-2020-22452

SQL Injection vulnerability in function getTableCreationQuery in
CreateAddField.php in phpMyAdmin via the tbl_storage_engine or
tbl_collation parameters to tbl_create.php.

CVE-2023-25727

In phpMyAdmin an authenticated user can trigger XSS by uploading a crafted
.sql file through the drag-and-drop interface.


For Debian 9 stretch, these problems have been fixed in version 4:4.6.6-4+deb9u3.

We recommend that you upgrade your phpmyadmin packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.