CVE-2023-40619 — Deserialization of Untrusted Data in Phppgadmin

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

3.5%

top 12.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phppgadmin Project Phppgadmin Debian Phppgadmin

Timeline

PublishedSep 20

Description

phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to remote code execution because user-controlled data is directly passed to the PHP 'unserialize()' function in multiple places. An example is the functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter is deserialized.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/phppgadmin< phppgadmin 7.14.7+dfsg-1 (forky)

▶Debianphppgadmin_project/phppgadmin< 7.14.7+dfsg-1+1

▶NVDphppgadmin_project/phppgadmin7.14.4

🔴Vulnerability Details

OSV

CVE-2023-40619: phpPgAdmin 7↗2023-09-20

▶

GHSA

GHSA-r8pf-p598-jhpm: phpPgAdmin 7↗2023-09-20

▶

📋Vendor Advisories

Debian

CVE-2023-40619: phppgadmin - phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data...↗2023

▶