Homepage

pgadmin4@8.5 vulnerabilities

PostgreSQL Tools

  • latest version

    9.2

  • latest non vulnerable version

    9.2

  • first published

    4 years ago

  • latest version published

    17 days ago

  • licenses detected

  • View pgadmin4 package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the pgadmin4 package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Remote Code Execution (RCE)

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) in the Cloud Deployment with Google Provider module, which is accessible via the high_availability parameter to the /deploy endpoint and in the Query Tool interface, which is accessible via the query_commited parameter to the /download endpoint. An attacker can execute arbitrary commands with the privileges of the application user.

    How to fix Remote Code Execution (RCE)?

    Upgrade pgadmin4 to version 9.2 or higher.

    [,9.2)
    • M
    Cross-site Scripting (XSS)

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the measureText() function, accessible via the Query Tool interface. An attacker can inject malicious scripts into the displayed output.

    How to fix Cross-site Scripting (XSS)?

    Upgrade pgadmin4 to version 9.2 or higher.

    [,9.2)
    • H
    Information Exposure

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Information Exposure due to improper handling of OAuth2 authentication credentials.

    How to fix Information Exposure?

    Upgrade pgadmin4 to version 8.12 or higher.

    [,8.12)
    • M
    Cross-site Scripting (XSS)

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /settings/store API response json payload. An attacker can execute malicious script at the client end by injecting script content into the json response.

    How to fix Cross-site Scripting (XSS)?

    Upgrade pgadmin4 to version 8.6 or higher.

    [,8.6)
    • M
    Authentication Bypass

    pgadmin4 is a PostgreSQL Tools

    Affected versions of this package are vulnerable to Authentication Bypass due to a flaw in the multi-factor authentication process. An attacker with knowledge of a legitimate account's username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account's MFA enrollment status.

    How to fix Authentication Bypass?

    Upgrade pgadmin4 to version 8.6 or higher.

    [,8.6)
    Go back to all versions of this package