rpm package
suse/pgadmin4&distro=SUSE Linux Enterprise Module for Python 3 15 SP6
pkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-9636 | — | < 8.5-150600.3.15.1 | 8.5-150600.3.15.1 | Sep 4, 2025 | pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation. | ||
| CVE-2025-27152 | — | < 8.5-150600.3.9.1 | 8.5-150600.3.9.1 | Mar 7, 2025 | axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka | ||
| CVE-2023-1907 | — | < 4.30-150300.3.18.1 | 4.30-150300.3.18.1 | Jan 9, 2025 | A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously. | ||
| CVE-2024-48948 | — | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | Oct 15, 2024 | The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomal | ||
| CVE-2024-48949 | — | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | Oct 10, 2024 | The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. | ||
| CVE-2024-9014 | — | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | Sep 23, 2024 | pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data. | ||
| CVE-2024-43788 | — | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | Aug 27, 2024 | Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s | ||
| CVE-2024-39338 | — | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | Aug 9, 2024 | axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. | ||
| CVE-2024-38999 | Cri | 10.0 | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | Jul 1, 2024 | jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |
| CVE-2024-38355 | Hig | 7.3 | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | Jun 19, 2024 | Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been | |
| CVE-2024-4068 | — | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | May 13, 2024 | The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program | ||
| CVE-2024-4067 | — | < 8.5-150600.3.6.1 | 8.5-150600.3.6.1 | May 13, 2024 | The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching w | ||
| CVE-2024-4216 | — | < 8.5-150600.3.3.1 | 8.5-150600.3.3.1 | May 2, 2024 | pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end. | ||
| CVE-2024-4215 | — | < 8.5-150600.3.3.1 | 8.5-150600.3.3.1 | May 2, 2024 | pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as |
- CVE-2025-9636Sep 4, 2025affected < 8.5-150600.3.15.1fixed 8.5-150600.3.15.1
pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation.
- CVE-2025-27152Mar 7, 2025affected < 8.5-150600.3.9.1fixed 8.5-150600.3.9.1
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka
- CVE-2023-1907Jan 9, 2025affected < 4.30-150300.3.18.1fixed 4.30-150300.3.18.1
A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.
- CVE-2024-48948Oct 15, 2024affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomal
- CVE-2024-48949Oct 10, 2024affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
- CVE-2024-9014Sep 23, 2024affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.
- CVE-2024-43788Aug 27, 2024affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s
- CVE-2024-39338Aug 9, 2024affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
- affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been
- CVE-2024-4068May 13, 2024affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program
- CVE-2024-4067May 13, 2024affected < 8.5-150600.3.6.1fixed 8.5-150600.3.6.1
The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching w
- CVE-2024-4216May 2, 2024affected < 8.5-150600.3.3.1fixed 8.5-150600.3.3.1
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.
- CVE-2024-4215May 2, 2024affected < 8.5-150600.3.3.1fixed 8.5-150600.3.3.1
pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as