Hello,

The phpMyAdmin team announces the release of both phpMyAdmin versions 4.9.6 and 5.0.3.

Both versions contain several important security fixes:

* PMASA-2020-5 XSS vulnerability with transformation feature * PMASA-2020-6 SQL injection vulnerability with the search feature

In addition, 5.0.3 contains many bugfixes. Some of the highlights include:

* Fix an error message about htmlspecialchars() when attempting to export XML * Support double tapping to edit on mobile * Fix the error message "Use of undefined constant MYSQLI_TYPE_JSON" when using mysqlnd * Fix fatal JS error on index creation after using Enter key to submit the form * Fix "axis-order" to swap latitude and longitude on MySQL 8.1 or newer * Fix an error when overwriting an existing query bookmark * Fix some warnings that appear with PHP 8 * Fix alter user privileges query when editing an account with MySQL 8.0.11 and newer * Fix issues regarding TIMESTAMP columns with default CURRENT_TIMESTAMP in MySQL 8.0.13 and newer * Fix a message that "Warning: error_reporting() has been disabled for security reasons" on php 7.x

There are many other bugs fixes, please see the ChangeLog file included with this release for full details.

Known shortcomings:

Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, `mysql_native_password`. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the upgraded authentication methods.

Downloads are available now at https://phpmyadmin.net/downloads/