CVE-2025-60799 – phpPgAdmin 7.13.0 and earlier contains an incor... (How to Fix)

Q: What is the severity of CVE-2025-60799?

CVE-2025-60799 has a CVSS score of 6.1 (MEDIUM). phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability that allows attackers to manipulate session variables by controlling parameters like 'subject', 'server', 'database', and 'queryid'. This can lead to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data. All users running affected versions of phpPgAdmin are vulnerable.

📋 TL;DR

phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability that allows attackers to manipulate session variables by controlling parameters like 'subject', 'server', 'database', and 'queryid'. This can lead to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data. All users running affected versions of phpPgAdmin are vulnerable.

💻 Affected Systems

Products:

phpPgAdmin

Versions: 7.13.0 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Phppgadmin by Phppgadmin Project

View all CVEs affecting Phppgadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could poison user sessions with malicious SQL queries leading to stored XSS attacks, session hijacking, or unauthorized access to database management functions.

🟠

Likely Case

Session manipulation allowing attackers to store arbitrary SQL in user sessions, potentially leading to stored XSS attacks against other users.

🟢

If Mitigated

Proper input validation and access controls would prevent parameter manipulation, limiting impact to intended functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.14.0 or later

Vendor Advisory: https://github.com/phppgadmin/phppgadmin/security/advisories

Restart Required: No

Instructions:

1. Download latest version from official repository. 2. Replace sql.php with patched version. 3. Verify $_SESSION variable validation is implemented.

🔧 Temporary Workarounds

Input Validation Filter

linux

Add parameter validation to sql.php to restrict allowed values

sed -i '68,76s/.*/\/\/ Add validation logic here/' /path/to/sql.php

🧯 If You Can't Patch

Restrict access to phpPgAdmin to trusted networks only
Implement web application firewall rules to block suspicious parameter manipulation

🔍 How to Verify

Check if Vulnerable:

Check if sql.php lines 68-76 lack proper validation of 'subject', 'server', 'database', 'queryid' parameters

Check Version:

grep 'Version' /path/to/phpPgAdmin/version.php

Verify Fix Applied:

Verify sql.php now validates user input before storing in $_SESSION['sqlquery']

📡 Detection & Monitoring

Log Indicators:

Unusual parameter values in sql.php requests
Multiple SQL query storage attempts

Network Indicators:

HTTP POST requests to sql.php with manipulated parameters

SIEM Query:

source="web_logs" AND uri="/sql.php" AND (param="subject" OR param="server" OR param="database" OR param="queryid") AND value!="expected_pattern"

📊 Metadata

CVE ID: CVE-2025-60799

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-284

EPSS Score: 0.01% exploit probability (2.3th percentile)

Published: November 20, 2025

Last Updated: November 25, 2025

🔗 References

https://github.com/phppgadmin/phppgadmin/blob/master/sql.php#L68-L76 Product
https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60799.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60799, you might also want to check these: