Fernando Bortotti

**Name of the Vulnerable Software and Affected Versions** pgAdmin 4 versions prior to 9.15 **Description** The FileBackedSessionManager in pgAdmin 4 performs unsafe deserialization of session-file contents using Python's standard object-serialization module before conducting an HMAC integrity check. This allows any file placed in the sessions directory to be deserialized unconditionally. An authenticated user with write access to the sessions directory, potentially through misconfiguration or a path-traversal flaw, could use a crafted serialized payload to achieve remote code execution at the operating-system level under the pgAdmin process identity. **Recommendations** Update to version 9.15 or later.

**Name of the Vulnerable Software and Affected Versions** pgAdmin 4 versions prior to 9.15 **Description** A symbolic-link path traversal issue exists in the pgAdmin 4 File Manager. The `check access permission()` function utilized `os.path.abspath`, which resolves parent directory references ('..') but fails to resolve symbolic links. Because the subsequent kernel write operation follows symbolic links, an authenticated user can create a symbolic link within their storage directory that points to a location outside of it. This allows the user to induce pgAdmin to write to any path accessible by the pgAdmin process. This is a Time-of-Check to Time-of-Use (TOCTOU) flaw, where a race condition exists between the access check and the actual file opening. **Recommendations** Update to version 9.15 or later.

**Name of the Vulnerable Software and Affected Versions** pgAdmin 4 versions prior to 9.15 **Description** Improper restriction of excessive authentication attempts occurs because the `MAX LOGIN ATTEMPTS` limit is only enforced within the '/authenticate/login' view. The default '/login' view provided by Flask-Security does not check the `User.locked` field, as the User model relied on `UserMixin.is locked()` (which always returns 'not locked') and `is active` (which only checks the active column). This allows an attacker to bypass brute-force protection for accounts using the INTERNAL authentication source by submitting credentials directly to '/login'. Consequently, login attempts via '/login' are not rate-limited, enabling unbounded online password-guessing attacks. This issue does not affect LDAP, OAuth2, Kerberos, or Webserver users. **Recommendations** Update to version 9.15 or later to ensure the locked column is enforced across all authentication paths.