• Release Date: March 10, 2020
• Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
• Vulnerability Type: SQL Injection
• Affected Versions: 5.4.0 and below
• Severity: High
• Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• CVE: CVE-2019-18622 and CVE-2020-5504

Problem Description

Multiple vulnerabilities have been found in the phpMyAdmin component.

• PMASA-2019-5 - SQL injection in Designer feature
• PMASA-2020-1 - SQL injection in user accounts page

Solution

An updated version 5.5.0 is available from the TYPO3 extension manager and at

https://typo3.org/extensions/repository/download/phpmyadmin/5.5.0/zip/.

Users of the extension are advised to update the extension as soon as possible.

Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites.

Credits

Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.