Khushboovashi

**Nome do Software Vulnerável e Versões Afetadas** Versões do pgAdmin anteriores à 9.7 **Descrição** O pgAdmin está suscetível a um problema de Cross-Origin Opener Policy (COOP). Isso permite a manipulação do fluxo OAuth, potencialmente resultando em acesso não autorizado à conta, tomada de controle da conta, violações de dados e escalonamento de privilégios. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** pgAdmin 4 versions prior to 9.2 **Description** The issue is a remote code execution security vulnerability in pgAdmin 4, affecting the Query Tool and Cloud Deployment modules. It is associated with two POST endpoints: "/sqleditor/query tool/download" where the `query commited` parameter, and "/cloud/deploy" where the `high availability` parameter is passed unsafely to the Python `eval()` function, allowing arbitrary code execution. This vulnerability can be exploited by sending a specially crafted POST request, potentially allowing full server takeover, execution of arbitrary commands, and lateral movement within the infrastructure. The estimated number of potentially affected devices is over 41,000. **Recommendations** To resolve the issue, update pgAdmin 4 to version 9.2 or later. As a temporary workaround, consider restricting access to the vulnerable endpoints "/sqleditor/query tool/download" and "/cloud/deploy" to minimize the risk of exploitation. Additionally, avoid using the `query commited` and `high availability` parameters in the affected API endpoints until the issue is resolved.