Phppgadmin Project Phppgadmin vulnerabilities

CVE-2025-60799 [MEDIUM] CWE-284 CVE-2025-60799: phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store

CVE-2025-60798 [MEDIUM] CWE-89 CVE-2025-60798: phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manip

CVE-2025-60796 [MEDIUM] CWE-79 CVE-2025-60796: phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities across va phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied input from $_REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.php, and other unspecified files. An attacker can expl

CVE-2025-60797 [MEDIUM] CWE-89 CVE-2025-60797: phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to exec

CVE-2023-40619 [CRITICAL] CWE-502 CVE-2023-40619: phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to r phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to remote code execution because user-controlled data is directly passed to the PHP 'unserialize()' function in multiple places. An example is the functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter is deserialized.

CVE-2019-10784 [CRITICAL] CWE-352 CVE-2019-10784: phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the reque phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute

CVE-2012-1600 [MEDIUM] CWE-79 CVE-2012-1600: Multiple cross-site scripting (XSS) vulnerabilities in functions.php in phpPgAdmin before 5.0.4 allo Multiple cross-site scripting (XSS) vulnerabilities in functions.php in phpPgAdmin before 5.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) type of a function.

CVE-2011-3598 [MEDIUM] CVE-2011-3598: Multiple cross-site scripting (XSS) vulnerabilities in phpPgAdmin before 5 Multiple cross-site scripting (XSS) vulnerabilities in phpPgAdmin before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) a web page title, related to classes/Misc.php; or the (2) return_url or (3) return_desc parameter to display.php.

CVE-2008-5587 [MEDIUM] CVE-2008-5587: Directory traversal vulnerability in libraries/lib Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.

CVE-2007-5728 [CRITICAL] CVE-2007-5728: Cross-site scripting (XSS) vulnerability in phpPgAdmin 3 Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865.

CVE-2007-2865 [CRITICAL] CVE-2007-2865: Cross-site scripting (XSS) vulnerability in sqledit Cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the server parameter.

CVE-2006-4976 [MEDIUM] CVE-2006-4976: The Date Library in John Lim ADOdb Library for PHP allows remote attackers to obtain sensitive information via a direct request for (1) server The Date Library in John Lim ADOdb Library for PHP allows remote attackers to obtain sensitive information via a direct request for (1) server.php, (2) adodb-errorpear.inc.php, (3) adodb-iterator.inc.php, (4) adodb-pear.inc.php, (5) adodb-perf.inc.php, (6) adodb-xmlschema.inc.php, and (7) adodb.inc.php; files in datad

CVE-2005-2256 [MEDIUM] CVE-2005-2256: Encoded directory traversal vulnerability in phpPgAdmin 3 Encoded directory traversal vulnerability in phpPgAdmin 3.1 to 3.5.3 allows remote attackers to access arbitrary files via "%2e%2e%2f" (encoded dot dot) sequences in the formLanguage parameter.

CVE-2004-2664 [MEDIUM] CVE-2004-2664: John Lim ADOdb Library for PHP before 4 John Lim ADOdb Library for PHP before 4.23 allows remote attackers to obtain sensitive information via direct requests to certain scripts that result in an undefined value of ADODB_DIR, which reveals the installation path in an error message.