High severityNVD Advisory· Published May 2, 2024· Updated Feb 13, 2025
XSS vulnerability in /settings/store API response json payload in pgAdmin 4
CVE-2024-4216
Description
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pgAdmin4PyPI | < 8.6 | 8.6 |
Affected products
1- Range: 0
Patches
1e384c9665ae2Fixed a XSS vulnerability in the /settings/store endpoint. #7282
3 files changed · +5 −6
web/pgadmin/browser/static/js/node.js+3 −3 modified@@ -139,7 +139,7 @@ define('pgadmin.browser.node', [ }, enable: _.isFunction(self.canEdit) ? function() { - return !!(self.canEdit(arguments)); + return !!(self.canEdit(...arguments)); } : (!!self.canEdit), }]); } @@ -159,7 +159,7 @@ define('pgadmin.browser.node', [ }, enable: _.isFunction(self.canDrop) ? function() { - return !!(self.canDrop(arguments)); + return !!(self.canDrop(...arguments)); } : (!!self.canDrop), }]); @@ -177,7 +177,7 @@ define('pgadmin.browser.node', [ }, enable: _.isFunction(self.canDropCascade) ? function() { - return self.canDropCascade(arguments); + return self.canDropCascade(...arguments); } : (!!self.canDropCascade), }]); }
web/pgadmin/browser/templates/browser/js/utils.js+1 −2 modified@@ -38,7 +38,6 @@ define('pgadmin.browser.utils', ['sources/pgadmin'], function(pgAdmin) { - let pgBrowser = pgAdmin.Browser = pgAdmin.Browser || {}; pgBrowser['MainMenus'] = []; @@ -86,7 +85,7 @@ define('pgadmin.browser.utils', ]; pgBrowser.utils = { - layout: '{{ layout }}', + layout: {{ layout|tojson }}, theme: '{{ theme }}', pg_help_path: '{{ pg_help_path }}', tabSize: '{{ editor_tab_size }}',
web/pgadmin/static/js/tree/tree.js+1 −1 modified@@ -408,7 +408,7 @@ export class Tree { } findNodeByDomElement(domElement) { - const path = domElement.path; + const path = domElement?.path; if (!path?.[0]) { return undefined; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-xv64-8p4r-94gqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-4216ghsaADVISORY
- github.com/pgadmin-org/pgadmin4/commit/e384c9665ae2e72376be7cefa8e652efcee93767ghsaWEB
- github.com/pgadmin-org/pgadmin4/issues/7282ghsaissue-trackingWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2YFVCB4HCXU3FQBZ5XTWJZWSZUDNCXEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2YFVCB4HCXU3FQBZ5XTWJZWSZUDNCXE/mitre
News mentions
0No linked articles in our index yet.