On Mon, Aug 22, 2022 at 3:30 PM Aditya Toshniwal < aditya.toshni...@enterprisedb.com> wrote:
> Thank you for reporting this. We will fix this before the next release. > > Please report it here - > https://redmine.postgresql.org/projects/pgadmin4/issues/new > We have committed the fix. > > > On Mon, Aug 22, 2022 at 3:03 PM Khoa Bùi Đức Anh <khoabda...@gmail.com> > wrote: > >> Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12). >> >> Step by step >> >> Bug is at API /browser/server/obj/7/ >> Object -> Register -> Server -> Connection >> Fill in Hostname/address value ss"><iframe >> src=javascript:alert(document.domain)> >> Click save, XSS fired >> >> Anymore information, you can ask me >> >> Thanks >> khoabda >> > > > -- > Thanks, > Aditya Toshniwal > pgAdmin Hacker | Software Architect | *edbpostgres.com* > <http://edbpostgres.com> > "Don't Complain about Heat, Plant a TREE" > -- <http://www.enterprisedb.com> Akshay Joshi Principal Software Architect +91 9767888246 www.enterprisedb.com <https://www.linkedin.com/company/edbpostgres> <https://twitter.com/edbpostgres?lang=en> <https://www.facebook.com/EDBpostgres> <https://www.instagram.com/EDBpostgres/>
