Primary

Context

ADOdb PostgreSQL Driver SQL Injection Vulnerability in pg_insert_id() Method

Vulnerability

Patched

A SQL injection vulnerability has been identified in the ADOdb library for PHP, specifically in the PostgreSQL database driver. This issue arises from improper escaping of query parameters, which may allow an attacker to execute arbitrary SQL statements. The vulnerability is present in ADOdb versions through 5.22.8 and is triggered when the pg_insert_id() function is called with user-supplied data.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands on the database.

Reproduction

To reproduce this vulnerability, use ADOdb versions through 5.22.8 and connect to a PostgreSQL database. Call the pg_insert_id() method with unescaped user-supplied data, which will result in the execution of arbitrary SQL statements.

Remediation

Upgrade to ADOdb version 5.22.9 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

5.0

exploitability

6.0

remediation

7.9

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

5.0

exploitability

6.0

remediation

7.9

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ADOdb PostgreSQL Driver SQL Injection Vulnerability in pg_insert_id() Method

Vulnerability

Impact

Reproduction

Remediation

Affected Products

ADOdb

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating