CVE-2024-4216 XSS vulnerability in /settings/store API response json payload in pgAdmin 4

2024-05-0217:42:59

PostgreSQL

github.com

cve-2024-4216

xss

vulnerability

pgadmin 4

settings

api

json payload

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.

CNA Affected

[
  {
    "repo": "https://github.com/pgadmin-org/pgadmin4",
    "vendor": "pgadmin.org",
    "modules": [
      "pgadmin layout"
    ],
    "product": "pgAdmin 4",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "8.6",
        "versionType": "custom"
      }
    ],
    "programFiles": [
      "https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/browser/templates/browser/js/utils.js"
    ],
    "defaultStatus": "affected"
  }
]