CVE-2025-60799
BaseFortify
Publication date: 2025-11-20
Last updated on: 2025-11-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phppgadmin_project | phppgadmin | to 7.13.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in phpPgAdmin 7.13.0 and earlier involves incorrect access control in the sql.php file, where user-controlled parameters ('subject', 'server', 'database', 'queryid') are accepted without proper validation. This allows attackers to manipulate session variables, specifically to store arbitrary SQL queries in the session variable $_SESSION['sqlquery'], which can lead to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to poison your session data, execute stored cross-site scripting attacks, or gain unauthorized access to sensitive session information. This can compromise the security and integrity of your application and potentially expose sensitive data or allow further attacks.