Remote Code Execution Vulnerability in phpPgAdmin by phpPgAdmin
CVE-2023-40619

9.8CRITICAL

Key Information:

Vendor: PHPpgadmin Project
Status: PHPpgadmin
Vendor: CVE Published:; 20 September 2023

🔔 Create PHPpgadmin Project Vulnerability Alert

What is CVE-2023-40619?

phpPgAdmin versions up to 7.14.4 are vulnerable to a deserialization issue where untrusted user data can lead to remote code execution. This occurs when the application directly passes controlled data to the PHP 'unserialize()' function without proper validation. The flaw is particularly evident in the table management module within 'tables.php', specifically concerning the processing of the 'ma[]' POST parameter. Attackers can exploit this vulnerability to execute arbitrary code, potentially compromising the integrity and security of the server.

References

https://github.com/dub-flow/vulnerability-research/tree/m...

https://lists.debian.org/debian-lts-announce/2023/11/msg0...

mailing-list

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Aug 17, 2023

JSON