Home > mailing lists

Security Bug on pgadmin 4 6.12 - Mailing list pgadmin-hackers

From	Khoa Bùi Đức Anh
Subject	Security Bug on pgadmin 4 6.12
Date	August 22, 2022 12:09:46
Msg-id	CAGmKS7YEQqUSGgwpAdmPwJYi_J7QCgf-8Pne49NRd9c9gK7M-w@mail.gmail.com Whole thread Raw
Responses	Re: Security Bug on pgadmin 4 6.12 (Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>)
List	pgadmin-hackers

Tree view

Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).

Step by step

Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> Connection

Fill in Hostname/address value ss"><iframe src=javascript:alert(document.domain)>
Click save, XSS fired

Anymore information, you can ask me

Thanks
khoabda

pgadmin-hackers by date:

From: Aditya Toshniwal
Date: 22 August 2022, 11:07:32
Subject: [pgAdmin][RM7579] Multiple query tool fixes

From: Akshay Joshi
Date: 22 August 2022, 12:22:15
Subject: pgAdmin 4 commit: Fixed an issue where a user could not authenticate us

Security Bug on pgadmin 4 6.12 - Mailing list pgadmin-hackers

Previous

Next