CVE-2023-40619 — phppgadmin - security update

Description

phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to remote code execution because user-controlled data is directly passed to the PHP 'unserialize()' function in multiple places. An example is the functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter is deserialized.

How to fix CVE-2023-40619

To remediate CVE-2023-40619, upgrade the affected package to a fixed version below.

—upgrade to 7.14.7+dfsg-1 or later
—upgrade to 5.1+ds-4+deb10u1 or later

Is CVE-2023-40619 being exploited?

Low — EPSS is 3.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 7.14.7+dfsg-1
from 0, < 5.1+ds-4+deb10u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-40619