CVE-2025-60799 in phpPgAdmin
Summary
by MITRE • 11/20/2025
phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/21/2025
The vulnerability identified as CVE-2025-60799 affects phpPgAdmin versions 7.13.0 and earlier, presenting a critical access control flaw within the sql.php component. This issue stems from insufficient validation of user-supplied parameters that are directly incorporated into session management operations. The affected code segment spans lines 68-76 where the application processes parameters including 'subject', 'server', 'database', and 'queryid' without implementing proper authorization controls. The vulnerability manifests through improper handling of session variables, specifically allowing attackers to manipulate the $_SESSION['sqlquery'] variable through crafted input parameters. This flaw represents a direct violation of secure coding principles and demonstrates inadequate input sanitization practices that have been documented in various security frameworks including CWE-284 which addresses improper access control mechanisms.
The technical exploitation of this vulnerability enables attackers to perform session poisoning attacks by injecting malicious data into session storage structures. When user-controlled parameters are accepted without validation, they can be manipulated to store arbitrary SQL queries within the session context, creating a persistent threat vector that extends beyond the immediate request scope. The session variable manipulation occurs because the application fails to verify whether the requesting user has legitimate authorization to modify the targeted session data. This vulnerability specifically impacts the integrity of session management within the phpPgAdmin application and can be leveraged to establish unauthorized access to database resources that would normally be restricted to authorized users. The flaw essentially allows attackers to bypass normal access controls by directly manipulating session state variables, which is a fundamental breach of application security architecture.
The operational impact of CVE-2025-60799 extends beyond simple privilege escalation to include potential data exposure and persistent attack vectors within the targeted environment. Attackers can leverage this vulnerability to store malicious SQL queries that may be executed in subsequent requests, creating opportunities for stored cross-site scripting attacks or session hijacking scenarios. The vulnerability enables unauthorized modification of session data that could contain sensitive database connection information, query results, or other privileged operational data. This access control failure can result in complete compromise of database administrative sessions and potentially allow attackers to perform unauthorized database operations. The vulnerability's impact is particularly concerning in environments where phpPgAdmin serves as a database management interface, as it provides attackers with direct pathways to manipulate database sessions and potentially gain elevated privileges within the database environment.
Mitigation strategies for CVE-2025-60799 should focus on implementing comprehensive input validation and access control measures within the sql.php component. Organizations should immediately upgrade to phpPgAdmin version 7.14.0 or later where this vulnerability has been addressed through proper parameter validation and session management controls. The implementation of proper access control checks should include verification of user authorization before allowing any session variable modifications, particularly those related to database query execution contexts. Security controls should enforce strict parameter validation for all inputs including 'subject', 'server', 'database', and 'queryid' parameters to prevent injection of malicious content into session storage. Additionally, the application should implement proper session isolation mechanisms that prevent unauthorized access to session data and ensure that session variables are properly sanitized before being stored or retrieved. These measures align with established security frameworks such as those referenced in CWE-284 and ATT&CK technique T1548.001 which addresses legitimate credentials and session management vulnerabilities. Organizations should also conduct comprehensive security assessments to identify any other instances of similar access control flaws within their phpPgAdmin deployments and related database management interfaces.