Homepage

pgadmin4@6.19 vulnerabilities

PostgreSQL Tools

  • latest version

    9.2

  • latest non vulnerable version

    9.2

  • first published

    4 years ago

  • latest version published

    17 days ago

  • licenses detected

  • View pgadmin4 package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the pgadmin4 package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Remote Code Execution (RCE)

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) in the Cloud Deployment with Google Provider module, which is accessible via the high_availability parameter to the /deploy endpoint and in the Query Tool interface, which is accessible via the query_commited parameter to the /download endpoint. An attacker can execute arbitrary commands with the privileges of the application user.

    How to fix Remote Code Execution (RCE)?

    Upgrade pgadmin4 to version 9.2 or higher.

    [,9.2)
    • M
    Cross-site Scripting (XSS)

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the measureText() function, accessible via the Query Tool interface. An attacker can inject malicious scripts into the displayed output.

    How to fix Cross-site Scripting (XSS)?

    Upgrade pgadmin4 to version 9.2 or higher.

    [,9.2)
    • M
    Race Condition

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Race Condition during the LDAP authentication process. An attacker can hijack another user's session by initiating multiple simultaneous login attempts.

    How to fix Race Condition?

    Upgrade pgadmin4 to version 7.0 or higher.

    [,7.0)
    • H
    Information Exposure

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Information Exposure due to improper handling of OAuth2 authentication credentials.

    How to fix Information Exposure?

    Upgrade pgadmin4 to version 8.12 or higher.

    [,8.12)
    • M
    Cross-site Scripting (XSS)

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /settings/store API response json payload. An attacker can execute malicious script at the client end by injecting script content into the json response.

    How to fix Cross-site Scripting (XSS)?

    Upgrade pgadmin4 to version 8.6 or higher.

    [,8.6)
    • M
    Authentication Bypass

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Authentication Bypass due to a flaw in the multi-factor authentication process. An attacker with knowledge of a legitimate account's username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account's MFA enrollment status.

    How to fix Authentication Bypass?

    Upgrade pgadmin4 to version 8.6 or higher.

    [,8.6)
    • H
    Improper Control of Generation of Code ('Code Injection')

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the validate binary path API. An attacker can execute arbitrary code on the server hosting the application, posing a severe risk to the integrity of the database management system and the security of the underlying data.

    How to fix Improper Control of Generation of Code ('Code Injection')?

    Upgrade pgadmin4 to version 8.5 or higher.

    [,8.5)
    • M
    Deserialization of Untrusted Data

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of a file-based session management approach where session files are saved on disk as pickle objects. An attacker can execute arbitrary code on the system by manipulating the session ID to escape the intended session folder path and point to a maliciously crafted file.

    How to fix Deserialization of Untrusted Data?

    Upgrade pgadmin4 to version 8.4 or higher.

    [,8.4)
    • M
    Command Injection

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Command Injection when the HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. A user can run arbitrary commands on the server by passing commands as filenames.

    NOTE: This issue does not affect pgAdmin's desktop mode.

    How to fix Command Injection?

    Upgrade pgadmin4 to version 7.7 or higher.

    [,7.7)
    Go back to all versions of this package