SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2020-5504
    ▲ HighCVSS 8.8✓ PatchedEPSS 0.22375%

    SQL Injection with Missing Functional Level Access in phpMyAdmin

    In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

    CVE IDCVE-2020-5504
    CVSS v3.18.8 High
    VendorPhpMyAdmin
    CWECWE-89
    DisclosedDec 12, 2019
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    A SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server. Missing functional level access flaws allow attackers to access unauthorized functionality. SQL injection (SQLi) vulnerability was identified with the conjunction of missing function level access in the latest version of the phpMyAdmin database. The vulnerability affects http://localhost/phpmyadmin/server_privileges.php, username.

    *Affected Products: phpMyAdmin 4.x versions prior to 4.9.4 are affected, phpMyAdmin 5.x version 5.0.0

    Vendor
    PhpMyAdmin
    Affected Product
    See Full List Below*
    CVE
    CVE-2020-5504
    Securin ID
    2019-CSW-12-1032
    Status
    Fixed
    Date
    December 12, 2019
    Severity
    High
    CVSS Score
    8.8
    Vector
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    CWE
    CWE-89
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    8.8CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    ScopeUnchanged
    ImpactC:H / I:H / A:H
    SeverityHigh
    PoC · Exploitation Steps▲ trigger
    01The following vulnerability was tested on phpMyAdmin version 5.0.02Issue: SQL Injection with missing functional level access:031. Log in to the phpMyAdmin GUI042. Installed PhpMyAdmin (Version 5.0)05Figure 01: phpMyAdmin Installed Version 5.0.006Figure 02: List of user accounts and privileges in the database.07Figure 03: Test user doesn’t have global privileges just for information.08Figure 04: “Test” user has all privilege to test the database only.09Figure 05: Log in to phpMyAdmin with “test” user credentials.10Now, enable an http-based proxy on the browser to intercept the traffic to the server.11Figure 06: “Test” users don’t have enough privilege to view users and other databases.12Figure 07: The intercepted ajax call in the proxy is related to the user accounts page.13Figure 08: JavaScript file which related to server_privileges.php page Ajax calls.14JavaScript code, which is responsible for checking the existence of the username in the database.15modified Ajax call which was intercepted in Burp with the required details to make validate_username16As per the privileges, the user shouldn’t be able to access this ajax call. But the server is giving a SQL error in the response. The response for the Ajax call confirms that the request is vulnerable to Missing Functional Level Access.17An unauthorized (test) user was able to control the SQL statement, which is responsible for validating username.

    Difference in the responses of the previous request and the current request confirms the username field is vulnerable to SQL injection.

    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    An authenticated user who has the privileges to one database at least can retrieve the contents of the databases in the MySQL DBMS server. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Download the following patches advised as per the vendor.

    For 4.8, 4.9 versions: upgrade to version 4.9.4 or newer, 5.x: upgrade to version 5.0.1, or newer, or apply the patch below.

    Older versions: https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-5504, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Dec 11, 2019

    Vulnerability Discovered in PhpMyAdmin

    Dec 12, 2019

    Vulnerability Reported to Vendor

    Dec 30, 2019

    Vendor Responded

    Jan 05, 2020

    CVE Assigned

    Jan 08, 2020

    Vendor Released Fix

    Disclosed 28 days after discovery

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2020-5504

    nvd.nist.gov/vuln/detail/CVE-2020-5504 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum