GHSA-r63p-v37q-g74c

Source

https://github.com/advisories/GHSA-r63p-v37q-g74c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-r63p-v37q-g74c/GHSA-r63p-v37q-g74c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r63p-v37q-g74c

Aliases

CVE-2025-60799

Published

2025-11-20T15:30:24Z

Modified

2025-11-21T18:44:00.305750Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

phppgadmin contains an incorrect access control vulnerability

Details

phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284"
    ],
    "nvd_published_at": "2025-11-20T15:17:38Z",
    "github_reviewed_at": "2025-11-21T18:09:49Z"
}

References

Affected packages

Packagist / phppgadmin/phppgadmin

Package

Name: phppgadmin/phppgadmin
Purl: pkg:composer/phppgadmin/phppgadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

7.13.0