Quick Links

Security Bug on pgadmin 4 6.12

From:	Khoa Bùi Đức Anh <khoabda305(at)gmail(dot)com>
To:	pgadmin-hackers(at)postgresql(dot)org
Subject:	Security Bug on pgadmin 4 6.12
Date:	2022-08-22 09:09:46
Message-ID:	CAGmKS7YEQqUSGgwpAdmPwJYi_J7QCgf-8Pne49NRd9c9gK7M-w@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgadmin-hackers

Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).

Step by step

Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> Connection
Fill in Hostname/address value ss"><iframe
src=javascript:alert(document.domain)>
Click save, XSS fired

Anymore information, you can ask me

Thanks
khoabda

Responses

Re: Security Bug on pgadmin 4 6.12 at 2022-08-22 09:59:28 from Aditya Toshniwal

Browse pgadmin-hackers by date

	From	Date	Subject
Next Message	Akshay Joshi	2022-08-22 09:22:15	pgAdmin 4 commit: 1. Fixed an issue where copy and pasting a row in the
Previous Message	Aditya Toshniwal	2022-08-22 08:07:32	[pgAdmin][RM7579] Multiple query tool fixes