pgAdmin 4 Stored Cross-Site Scripting Vulnerability in Browser Tree and Explain Visualizer Modules

A stored cross-site scripting vulnerability has been identified in pgAdmin 4 versions prior to 9.15. This issue arises in the Browser Tree and Explain Visualizer modules, where user-controlled PostgreSQL object names are assigned to DOM elements using innerHTML. This allows for the execution of attacker-supplied JavaScript in the browsers of pgAdmin users who interact with the malicious objects. The vulnerability has been addressed by replacing innerHTML with textContent.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user.

Reproduction

To reproduce this vulnerability, create a table in PostgreSQL with a name that includes a crafted payload, such as a JavaScript alert. After creating the table, navigate to it in the pgAdmin 4 Browser Tree. Then, access the Explain Visualizer module and observe the execution of the injected JavaScript.

Remediation

Users can update to pgAdmin 4 version 9.15 or later, where this vulnerability has been fixed.