istiak101
commented
4 weeks ago Was preparing a patch https://github.com/sosedoff/pgweb/pull/700 to finish adding dark mode and other frontend fixes. What a coincidence. 😅
Closed marcioalm closed 3 weeks ago
istiak101
commented
4 weeks ago Was preparing a patch https://github.com/sosedoff/pgweb/pull/700 to finish adding dark mode and other frontend fixes. What a coincidence. 😅
sosedoff
commented
4 weeks ago @marcioalm i have enabled private vulnerability reporting.
marcioalm
commented
3 weeks ago The vulnerabilities are now officially reported @sosedoff.
Thanks for enabling the private vulnerability report in your repository. Since the details to replicate the issues are now delivered, we will start counting the 90 days for the patch. Please refer to our vulnerability disclosure policy if you have any questions regarding this time frame. https://tantosec.com/vulnerability-disclosure-policy/
Please do not hesitate to contact us if you have any questions regarding how to patch these vulnerabilities.
Looking forward to talk with you once you have an available patch for retesting.
Best Regards,
Marcio
sosedoff
commented
3 weeks ago Closing this since there's a reported issues in a security channel. We'll address it there.
Hi Dan,
I've tried a few times to email you directly but didn't received any response. I think that raising an issue directly in the project can get this information to you easier.
First of all, thanks for creating the pgweb project. It's a very useful and amazing project used by a lot of people including myself.
Doing some security research on pgweb I found a few security issues that when chained together allows full takeover of the database and/or Remote Code Execution in the database server. We want to report these vulnerabilities to you, so you can work towards getting them fixed to protect the users of the tool...However, you have not yet configured a security.md for your project.
The following link has a step-by-step in how to activate private vulnerability reports in your repository:
https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Could you please setup the private vulnerability report and configure security.md policy in the project so we can submit all the vulnerabilities we have found through it? The advantage of doing the reporting process this way is because github will track the security issue automatically for you and will issue CVE at the end of the process.
This is our responsible vulnerability disclosure policy: https://tantosec.com/vulnerability-disclosure-policy/ please have a read when you can.
Once you have configured the security.md policy in your project we will submit our findings through it. Please let us know when it is ready.
Looking forward to hearing from you.
Best Regards,
Marcio