CVE-2019-7545

Vulnerability

DbNinja version 3.2.7 (and all earlier versions) contains a stored cross-site scripting (XSS) vulnerability in the User Name field of the Add Host function within the Manage Hosts page [1]. The application does not sanitize or escape user input before storing it, allowing arbitrary JavaScript to be persisted [1].

Exploitation

An attacker must be authenticated to the DbNinja web interface [1]. Starting from the Manage Hosts page, the attacker clicks Add Host and inserts a malicious payload (e.g., ``) into the User Name field, then saves the new host entry [1]. When any user (including the attacker) subsequently double-clicks on the newly created host icon, the stored payload executes in the context of the victim’s browser session [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the browser of any user who interacts with the crafted host entry [1]. This can result in session hijacking, credential theft, defacement, or redirection to attacker-controlled sites, depending on the injected script [1].

Mitigation

No official fix or patched version has been released by the vendor as of the available references [1]. DbNinja 3.2.7 is the last known version; users should apply input validation and output encoding on the User Name field, or consider migrating to an alternative database management tool if a patch does not become available [1].