| From: | Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com> |
|---|---|
| To: | Aditya Toshniwal <aditya(dot)toshniwal(at)enterprisedb(dot)com> |
| Cc: | Khoa Bùi Đức Anh <khoabda305(at)gmail(dot)com>, pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: Security Bug on pgadmin 4 6.12 |
| Date: | 2022-08-22 10:31:17 |
| Message-ID: | CANxoLDdpdmQP19tvV7T2Wg=xcEtjseOwO-8NRb2bUrRRaL+PGA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
On Mon, Aug 22, 2022 at 3:30 PM Aditya Toshniwal <
aditya(dot)toshniwal(at)enterprisedb(dot)com> wrote:
> Thank you for reporting this. We will fix this before the next release.
>
> Please report it here -
> https://redmine.postgresql.org/projects/pgadmin4/issues/new
>
We have committed the fix.
>
>
> On Mon, Aug 22, 2022 at 3:03 PM Khoa Bùi Đức Anh <khoabda305(at)gmail(dot)com>
> wrote:
>
>> Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).
>>
>> Step by step
>>
>> Bug is at API /browser/server/obj/7/
>> Object -> Register -> Server -> Connection
>> Fill in Hostname/address value ss"><iframe
>> src=javascript:alert(document.domain)>
>> Click save, XSS fired
>>
>> Anymore information, you can ask me
>>
>> Thanks
>> khoabda
>>
>
>
> --
> Thanks,
> Aditya Toshniwal
> pgAdmin Hacker | Software Architect | *edbpostgres.com*
> <http://edbpostgres.com>
> "Don't Complain about Heat, Plant a TREE"
>
--
Akshay Joshi
Principal Software Architect
+91 9767888246
<https://www.linkedin.com/company/edbpostgres>
<https://twitter.com/edbpostgres?lang=en>
<https://www.facebook.com/EDBpostgres>
<https://www.instagram.com/EDBpostgres/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Akshay Joshi | 2022-08-22 10:31:33 | Re: [pgAdmin][RM-7633]: On startup, autofocus on master password input. |
| Previous Message | Akshay Joshi | 2022-08-22 10:30:07 | pgAdmin 4 commit: Update version for release. |