U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): pgAdmin
  • Search Type: Search All
  • Match: Exact
  • CPE Name Search: false
There are 14 matching records.
Displaying matches 1 through 14.
Vuln ID Summary CVSS Severity

pgAdmin 4 versions prior to v6.19 contains a directory traversal vulnerability. A user of the product may change another user's settings or alter the database.

Published: March 27, 2023; 5:15:10 PM -0400
V3.x:(not available)
V2.0:(not available)

Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

Published: January 17, 2023; 5:15:11 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)

The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from. Versions of pgAdmin prior to 6.17 failed to properly secure this API, which could allow an unauthenticated user to call it with a path of their choosing, such as a UNC path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the pgAdmin server.

Published: December 13, 2022; 11:15:26 AM -0500
V3.1: 8.8 HIGH
V2.0:(not available)

A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Published: June 16, 2022; 3:15:07 AM -0400
V3.1: 7.8 HIGH
V2.0: 4.4 MEDIUM

A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write.

Published: March 16, 2022; 11:15:16 AM -0400
V3.1: 6.5 MEDIUM
V2.0: 3.5 LOW

phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute arbitrary system commands on the server.

Published: February 04, 2020; 2:15:10 PM -0500
V3.1: 9.6 CRITICAL
V2.0: 9.3 HIGH

Multiple cross-site scripting (XSS) vulnerabilities in functions.php in phpPgAdmin before 5.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) type of a function.

Published: May 13, 2014; 8:55:06 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM

Multiple SQL injection vulnerabilities in the administration interface in ASKIA askiaweb allow remote attackers to execute arbitrary SQL commands via (1) the nHistoryId parameter to WebProd/pages/pgHistory.asp or (2) the OrderBy parameter to WebProd/pages/pgadmin.asp.

Published: March 21, 2013; 5:55:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH

Multiple cross-site scripting (XSS) vulnerabilities in phpPgAdmin before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) a web page title, related to classes/Misc.php; or the (2) return_url or (3) return_desc parameter to display.php.

Published: October 07, 2011; 10:52:52 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM

Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.

Published: December 16, 2008; 2:07:31 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865.

Published: October 30, 2007; 5:46:00 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the server parameter.

Published: May 25, 2007; 2:30:00 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH

Encoded directory traversal vulnerability in phpPgAdmin 3.1 to 3.5.3 allows remote attackers to access arbitrary files via "%2e%2e%2f" (encoded dot dot) sequences in the formLanguage parameter.

Published: July 13, 2005; 12:00:00 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM

Directory traversal vulnerability in phpPgAdmin 2.2.1 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script.

Published: June 27, 2001; 12:00:00 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH