CVE-2025-60796

Vulnerability

Analysis phpPgAdmin versions 7.13.0 and earlier are affected by multiple reflected cross-site scripting (XSS) vulnerabilities. The root cause is that user-supplied input from the $_REQUEST superglobal is reflected back into HTML output without proper encoding or sanitization. This affects numerous script files, including sequences.php, indexes.php, admin.php, and others [1][2][3][4]. The lack of output encoding allows an attacker to craft a URL containing malicious JavaScript that will execute in the context of the application.

Exploitation

To exploit these vulnerabilities, an attacker must trick a victim into clicking a specially crafted link that contains malicious payloads in the query string parameters. The vulnerability is accessible without authentication, as phpPgAdmin does not always enforce session requirements for these specific script endpoints. The attack vector is via HTTP GET requests, where the malicious code is immediately reflected in the server's response [1][2][3][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of credentials or other sensitive data, defacement of the interface, or performing actions on behalf of the victim within the phpPgAdmin application. The severity is amplified because phpPgAdmin manages PostgreSQL databases, potentially granting an attacker access to database contents or administrative functions if the victim has elevated

Mitigation

As of the publication date, no patch has been released for this version. Users are strongly advised to restrict access to phpPgAdmin version 7.14 or later once it becomes available. In the interim, administrators should apply strict input validation and output encoding as a workaround, or restrict access to the phpPgAdmin interface using network-level controls and authentication proxies [1].