Postgres Pro
Downloads
Home   >   mailing lists

Re: Security Bug on pgadmin 4 6.12 - Mailing list pgadmin-hackers

From Akshay Joshi
Subject Re: Security Bug on pgadmin 4 6.12
Date
Msg-id CANxoLDdpdmQP19tvV7T2Wg=xcEtjseOwO-8NRb2bUrRRaL+PGA@mail.gmail.com
Whole thread Raw
In response to Re: Security Bug on pgadmin 4 6.12  (Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>)
List pgadmin-hackers
Tree view

On Mon, Aug 22, 2022 at 3:30 PM Aditya Toshniwal <aditya.toshniwal@enterprisedb.com> wrote:
Thank you for reporting this. We will fix this before the next release.


   We have committed the fix.


On Mon, Aug 22, 2022 at 3:03 PM Khoa Bùi Đức Anh <khoabda305@gmail.com> wrote:
Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12). 

Step by step

Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> Connection 
Fill in Hostname/address value ss"><iframe src=javascript:alert(document.domain)>
Click save, XSS fired

Anymore information, you can ask me

Thanks
khoabda


--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Software Architect | edbpostgres.com
"Don't Complain about Heat, Plant a TREE"


--

Akshay Joshi

Principal Software Architect

+91 9767888246

www.enterprisedb.com

     

pgadmin-hackers by date:

Previous
From: Akshay Joshi
Date:
Subject: pgAdmin 4 commit: Update version for release.
Next
From: Akshay Joshi
Date:
Subject: Re: [pgAdmin][RM-7633]: On startup, autofocus on master password input.