Обсуждение: Security Bug on pgadmin 4 6.12
Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).
Step by step
Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> Connection
Step by step
Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> Connection
Fill in Hostname/address value ss"><iframe src=javascript:alert(document.domain)>
Click save, XSS fired
Click save, XSS fired
Anymore information, you can ask me
Thanks
khoabda
khoabda
Thank you for reporting this. We will fix this before the next release.
Please report it here - https://redmine.postgresql.org/projects/pgadmin4/issues/new
On Mon, Aug 22, 2022 at 3:03 PM Khoa Bùi Đức Anh <khoabda305@gmail.com> wrote:
Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).
Step by step
Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> ConnectionFill in Hostname/address value ss"><iframe src=javascript:alert(document.domain)>
Click save, XSS firedAnymore information, you can ask meThanks
khoabda
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Software Architect | edbpostgres.com
"Don't Complain about Heat, Plant a TREE"
On Mon, Aug 22, 2022 at 3:30 PM Aditya Toshniwal <aditya.toshniwal@enterprisedb.com> wrote:
Thank you for reporting this. We will fix this before the next release.Please report it here - https://redmine.postgresql.org/projects/pgadmin4/issues/new
We have committed the fix.
On Mon, Aug 22, 2022 at 3:03 PM Khoa Bùi Đức Anh <khoabda305@gmail.com> wrote:Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).
Step by step
Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> ConnectionFill in Hostname/address value ss"><iframe src=javascript:alert(document.domain)>
Click save, XSS firedAnymore information, you can ask meThanks
khoabda--Thanks,Aditya ToshniwalpgAdmin Hacker | Software Architect | edbpostgres.com"Don't Complain about Heat, Plant a TREE"
Akshay Joshi Principal Software Architect +91 9767888246 | |