Bug 1223868 (CVE-2024-4216) - VUL-0: CVE-2024-4216: pgadmin4: XSS in /settings/store endpoint
Summary: VUL-0: CVE-2024-4216: pgadmin4: XSS in /settings/store endpoint
Status: IN_PROGRESS
Alias: CVE-2024-4216
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Antonio Larrosa
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/404189/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-4216:5.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-03 14:58 UTC by SMASH SMASH
Modified: 2024-07-02 12:30 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-03 14:58:20 UTC 
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4216
https://www.cve.org/CVERecord?id=CVE-2024-4216
https://github.com/pgadmin-org/pgadmin4/issues/7282
https://bugzilla.redhat.com/show_bug.cgi?id=2278851
Comment 2 Camila Camargo de Matos 2024-05-03 14:59:37 UTC 
The upstream patch seems to be available at: https://github.com/pgadmin-org/pgadmin4/commit/e384c9665ae2e72376be7cefa8e652efcee93767
Comment 10 Maintenance Automation 2024-07-02 12:30:28 UTC 
SUSE-SU-2024:2260-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1223867, 1223868
CVE References: CVE-2024-4215, CVE-2024-4216
Maintenance Incident: [SUSE:Maintenance:34492](https://smelt.suse.de/incident/34492/)
Sources used:
Python 3 Module 15-SP6 (src):
 pgadmin4-8.5-150600.3.3.1
openSUSE Leap 15.6 (src):
 pgadmin4-8.5-150600.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.