| From: | Aditya Toshniwal <aditya(dot)toshniwal(at)enterprisedb(dot)com> |
|---|---|
| To: | Khoa Bùi Đức Anh <khoabda305(at)gmail(dot)com> |
| Cc: | pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: Security Bug on pgadmin 4 6.12 |
| Date: | 2022-08-22 09:59:28 |
| Message-ID: | CAM9w-_n8pE41=PbbcCr_TJ6aGSuVyGcn2aPbU2NUK1OV1BYnfA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
Thank you for reporting this. We will fix this before the next release.
Please report it here -
https://redmine.postgresql.org/projects/pgadmin4/issues/new
On Mon, Aug 22, 2022 at 3:03 PM Khoa Bùi Đức Anh <khoabda305(at)gmail(dot)com>
wrote:
> Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).
>
> Step by step
>
> Bug is at API /browser/server/obj/7/
> Object -> Register -> Server -> Connection
> Fill in Hostname/address value ss"><iframe
> src=javascript:alert(document.domain)>
> Click save, XSS fired
>
> Anymore information, you can ask me
>
> Thanks
> khoabda
>
--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Software Architect | *edbpostgres.com*
<http://edbpostgres.com>
"Don't Complain about Heat, Plant a TREE"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nikhil Mohite | 2022-08-22 10:16:50 | [pgAdmin][RM-7633]: On startup, autofocus on master password input. |
| Previous Message | Akshay Joshi | 2022-08-22 09:22:52 | Re: [pgAdmin][RM7579] Multiple query tool fixes |