Security update for pgadmin4 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2260-1 Final 1 1 2024-07-02T08:03:40Z current 2024-07-02T08:03:40Z 2024-07-02T08:03:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pgadmin4 This update for pgadmin4 fixes the following issues: - CVE-2024-4216: Fixed XSS in /settings/store endpoint (bsc#1223868). - CVE-2024-4215: Fixed multi-factor authentication bypass (bsc#1223867). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2260,SUSE-SLE-Module-Python3-15-SP6-2024-2260,openSUSE-SLE-15.6-2024-2260 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242260-1/ Link for SUSE-SU-2024:2260-1 https://lists.suse.com/pipermail/sle-updates/2024-July/035793.html E-Mail link for SUSE-SU-2024:2260-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223867 SUSE Bug 1223867 https://bugzilla.suse.com/1223868 SUSE Bug 1223868 https://www.suse.com/security/cve/CVE-2024-4215/ SUSE CVE CVE-2024-4215 page https://www.suse.com/security/cve/CVE-2024-4216/ SUSE CVE CVE-2024-4216 page SUSE Linux Enterprise Module for Python 3 15 SP6 openSUSE Leap 15.6 pgadmin4-8.5-150600.3.3.1 pgadmin4-cloud-8.5-150600.3.3.1 pgadmin4-desktop-8.5-150600.3.3.1 pgadmin4-doc-8.5-150600.3.3.1 pgadmin4-web-uwsgi-8.5-150600.3.3.1 system-user-pgadmin-8.5-150600.3.3.1 pgadmin4-8.5-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 pgadmin4-doc-8.5-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 system-user-pgadmin-8.5-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 pgadmin4-8.5-150600.3.3.1 as a component of openSUSE Leap 15.6 pgadmin4-cloud-8.5-150600.3.3.1 as a component of openSUSE Leap 15.6 pgadmin4-desktop-8.5-150600.3.3.1 as a component of openSUSE Leap 15.6 pgadmin4-doc-8.5-150600.3.3.1 as a component of openSUSE Leap 15.6 pgadmin4-web-uwsgi-8.5-150600.3.3.1 as a component of openSUSE Leap 15.6 system-user-pgadmin-8.5-150600.3.3.1 as a component of openSUSE Leap 15.6 pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account's username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account's MFA enrollment status. CVE-2024-4215 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-8.5-150600.3.3.1 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-doc-8.5-150600.3.3.1 SUSE Linux Enterprise Module for Python 3 15 SP6:system-user-pgadmin-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-cloud-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-desktop-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-doc-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-web-uwsgi-8.5-150600.3.3.1 openSUSE Leap 15.6:system-user-pgadmin-8.5-150600.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242260-1/ https://www.suse.com/security/cve/CVE-2024-4215.html CVE-2024-4215 https://bugzilla.suse.com/1223867 SUSE Bug 1223867 pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end. CVE-2024-4216 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-8.5-150600.3.3.1 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-doc-8.5-150600.3.3.1 SUSE Linux Enterprise Module for Python 3 15 SP6:system-user-pgadmin-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-cloud-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-desktop-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-doc-8.5-150600.3.3.1 openSUSE Leap 15.6:pgadmin4-web-uwsgi-8.5-150600.3.3.1 openSUSE Leap 15.6:system-user-pgadmin-8.5-150600.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242260-1/ https://www.suse.com/security/cve/CVE-2024-4216.html CVE-2024-4216 https://bugzilla.suse.com/1223868 SUSE Bug 1223868