Home > mailing lists

Re: Security Bug on pgadmin 4 6.12 - Mailing list pgadmin-hackers

From	Aditya Toshniwal
Subject	Re: Security Bug on pgadmin 4 6.12
Date	August 22, 2022 12:59:28
Msg-id	CAM9w-_n8pE41=PbbcCr_TJ6aGSuVyGcn2aPbU2NUK1OV1BYnfA@mail.gmail.com Whole thread Raw
In response to	Security Bug on pgadmin 4 6.12 (Khoa Bùi Đức Anh <khoabda305@gmail.com>)
Responses	Re: Security Bug on pgadmin 4 6.12 (Akshay Joshi <akshay.joshi@enterprisedb.com>)
List	pgadmin-hackers

Tree view

Thank you for reporting this. We will fix this before the next release.

Please report it here - https://redmine.postgresql.org/projects/pgadmin4/issues/new

On Mon, Aug 22, 2022 at 3:03 PM Khoa Bùi Đức Anh <khoabda305@gmail.com> wrote:

Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).

Step by step

Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> Connection
Fill in Hostname/address value ss"><iframe src=javascript:alert(document.domain)>
Click save, XSS fired

Anymore information, you can ask me

Thanks
khoabda

Thanks,

Aditya Toshniwal

pgAdmin Hacker | Software Architect | edbpostgres.com

"Don't Complain about Heat, Plant a TREE"

pgadmin-hackers by date:

From: Akshay Joshi
Date: 22 August 2022, 12:22:52
Subject: Re: [pgAdmin][RM7579] Multiple query tool fixes

From: Nikhil Mohite
Date: 22 August 2022, 13:16:50
Subject: [pgAdmin][RM-7633]: On startup, autofocus on master password input.

Re: Security Bug on pgadmin 4 6.12 - Mailing list pgadmin-hackers

Previous

Next