Bug 1162794 (CVE-2019-10784) - VUL-0: CVE-2019-10784: phpPgAdmin: improper source validation may lead to CSRF
Summary: VUL-0: CVE-2019-10784: phpPgAdmin: improper source validation may lead to CSRF
Status: RESOLVED FIXED
Alias: CVE-2019-10784
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.1
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/252397/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-05 09:57 UTC by Alexandros Toptsoglou
Modified: 2024-05-19 19:09 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-02-05 09:57:47 UTC 
CVE-2019-10784

phppgadmin through 7.12.1 allows sensitive actions to be performed without
validating that the request originated from the application. One such area,
"database.php" does not verify the source of an HTTP request. This can be
leveraged by a remote attacker to trick a logged-in administrator to visit a
malicious page with a CSRF exploit and execute arbitrary system commands on the
server.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10784
https://snyk.io/vuln/SNYK-PHP-PHPPGADMINPHPPGADMIN-543885
Comment 1 Christian Wittmer 2020-03-01 19:47:11 UTC 
still no response yet to:
https://github.com/phppgadmin/phppgadmin/issues/94

waiting for upstream ...
Comment 2 Christian Wittmer 2020-05-04 08:48:10 UTC 
there is a PR to be merged:
https://github.com/phppgadmin/phppgadmin/pull/99

still waiting for upstream ...
Comment 3 Christian Wittmer 2022-07-14 15:54:34 UTC 
created a patch from upstream PR and updated pkg ...
Comment 4 OBSbugzilla Bot 2022-07-14 16:40:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1162794) was mentioned in
https://build.opensuse.org/request/show/989217 Factory / phpPgAdmin
https://build.opensuse.org/request/show/989219 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / phpPgAdmin
Comment 5 Swamp Workflow Management 2022-07-26 01:15:50 UTC 
openSUSE-SU-2022:10065-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1162794
CVE References: CVE-2019-10784
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    phpPgAdmin-7.13.0-bp154.2.3.1
openSUSE Backports SLE-15-SP3 (src):    phpPgAdmin-7.13.0-bp153.2.6.1
Comment 6 Christian Wittmer 2022-07-29 16:22:56 UTC 
I think we can close this, can't we ?
Comment 7 Christian Wittmer 2023-11-03 10:56:24 UTC 
change state to resolved/fixed
Comment 8 Christian Wittmer 2023-11-03 13:33:11 UTC 
should not have closed it.
assign back to security
Comment 9 Marcus Meissner 2024-05-19 19:09:27 UTC 
done