Thank you for reporting this. We will fix this before the next release. Please report it here - https://redmine.postgresql.org/projects/pgadmin4/issues/new
On Mon, Aug 22, 2022 at 3:03 PM Khoa Bùi Đức Anh <khoabda...@gmail.com> wrote: > Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12). > > Step by step > > Bug is at API /browser/server/obj/7/ > Object -> Register -> Server -> Connection > Fill in Hostname/address value ss"><iframe > src=javascript:alert(document.domain)> > Click save, XSS fired > > Anymore information, you can ask me > > Thanks > khoabda > -- Thanks, Aditya Toshniwal pgAdmin Hacker | Software Architect | *edbpostgres.com* <http://edbpostgres.com> "Don't Complain about Heat, Plant a TREE"
