CVE-2025-60796
MEDIUM6.1EPSS 0.04%phppgadmin vulnerable to Cross-site Scripting
發布日:2025/11/20修改日:2025/11/20
描述
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied inputs from $_REQUEST parameters are reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.php, and other unspecified files. An attacker can exploit these vulnerabilities to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious actions.
受影響套件(2)
- Debian/phppgadminfrom 0
- Packagist/phppgadmin/phppgadminfrom 0, <= 7.13.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-60796
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-60796
- PATCHhttps://github.com/phppgadmin/phppgadmin
- WEBhttps://github.com/phppgadmin/phppgadmin/blob/master/admin.php#L35
- WEBhttps://github.com/phppgadmin/phppgadmin/blob/master/indexes.php#L29
- WEBhttps://github.com/phppgadmin/phppgadmin/blob/master/sequences.php#L316
- WEBhttps://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60796.md