Debian Phppgadmin vulnerabilities

CVE-2025-60796 [MEDIUM] CVE-2025-60796: phppgadmin - phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulne... phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied input from $_REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.php, and other unspecified files. An attacker can exploit these v

CVE-2025-60799 [MEDIUM] CVE-2025-60799: phppgadmin - phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability... phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQ

CVE-2025-60797 [MEDIUM] CVE-2025-60797: phppgadmin - phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexpo... phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitr

CVE-2025-60798 [MEDIUM] CVE-2025-60798: phppgadmin - phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.... phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manipulation, po

CVE-2023-40619 [CRITICAL] CVE-2023-40619: phppgadmin - phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data... phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to remote code execution because user-controlled data is directly passed to the PHP 'unserialize()' function in multiple places. An example is the functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter is deserialized. Scope: local forky: re

CVE-2019-10784 [CRITICAL] CVE-2019-10784: phppgadmin - phppgadmin through 7.12.1 allows sensitive actions to be performed without valid... phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute arbitrary sy

CVE-2012-1600 [MEDIUM] CVE-2012-1600: phppgadmin - Multiple cross-site scripting (XSS) vulnerabilities in functions.php in phpPgAdm... Multiple cross-site scripting (XSS) vulnerabilities in functions.php in phpPgAdmin before 5.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) type of a function. Scope: local forky: resolved (fixed in 5.0.4-1) sid: resolved (fixed in 5.0.4-1) trixie: resolved (fixed in 5.0.4-1)

CVE-2011-3598 [MEDIUM] CVE-2011-3598: phppgadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpPgAdmin before 5.0.3 a... Multiple cross-site scripting (XSS) vulnerabilities in phpPgAdmin before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) a web page title, related to classes/Misc.php; or the (2) return_url or (3) return_desc parameter to display.php. Scope: local forky: resolved (fixed in 5.0.3-1) sid: resolved (fixed in 5.0.3-1) trixie: resolved (fix

CVE-2008-5587 [MEDIUM] CVE-2008-5587: phppgadmin - Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 a... Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. Scope: local forky: resolved (fixed in 4.2.1-1.1) sid: resolved (fixed in 4.2.1-1.1) trixie: resolved (fixed in 4.2.1-1.1)

CVE-2007-5728 [CRITICAL] CVE-2007-5728: phppgadmin - Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibl... Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865. Scope: local forky: resolved (fixed in 4.1.3-0.1) sid: resolved (fixed in 4.1

CVE-2007-2865 [CRITICAL] CVE-2007-2865: phppgadmin - Cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin 4.1.1 allo... Cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the server parameter. Scope: local forky: resolved (fixed in 4.1.2-1) sid: resolved (fixed in 4.1.2-1) trixie: resolved (fixed in 4.1.2-1)

CVE-2006-4976 [MEDIUM] CVE-2006-4976: libphp-adodb - The Date Library in John Lim ADOdb Library for PHP allows remote attackers to ob... The Date Library in John Lim ADOdb Library for PHP allows remote attackers to obtain sensitive information via a direct request for (1) server.php, (2) adodb-errorpear.inc.php, (3) adodb-iterator.inc.php, (4) adodb-pear.inc.php, (5) adodb-perf.inc.php, (6) adodb-xmlschema.inc.php, and (7) adodb.inc.php; files in datadict including (8) datadict-access.inc.php, (

CVE-2006-4618 [MEDIUM] CVE-2006-4618: libphp-adodb - PHP remote file inclusion vulnerability in adodb-postgres7.inc.php in John Lim A... PHP remote file inclusion vulnerability in adodb-postgres7.inc.php in John Lim ADOdb, possibly 4.01 and earlier, as used in Intechnic In-link 2.3.4, allows remote attackers to execute arbitrary PHP code via a URL in the ADODB_DIR parameter. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2005-2256 [MEDIUM] CVE-2005-2256: phppgadmin - Encoded directory traversal vulnerability in phpPgAdmin 3.1 to 3.5.3 allows remo... Encoded directory traversal vulnerability in phpPgAdmin 3.1 to 3.5.3 allows remote attackers to access arbitrary files via "%2e%2e%2f" (encoded dot dot) sequences in the formLanguage parameter. Scope: local forky: resolved (fixed in 3.5.4-1) sid: resolved (fixed in 3.5.4-1) trixie: resolved (fixed in 3.5.4-1)

CVE-2004-2664 [MEDIUM] CVE-2004-2664: libphp-adodb - John Lim ADOdb Library for PHP before 4.23 allows remote attackers to obtain sen... John Lim ADOdb Library for PHP before 4.23 allows remote attackers to obtain sensitive information via direct requests to certain scripts that result in an undefined value of ADODB_DIR, which reveals the installation path in an error message. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved