The vulnerability identified as CVE-2025-60799 affects phpPgAdmin, a popular web-based administration tool for PostgreSQL databases, specifically versions 7.13.0 and earlier. The issue resides in the sql.php script, between lines 68 and 76, where the application accepts user-supplied parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. This improper handling allows attackers to manipulate session variables, particularly $_SESSION['sqlquery'], by injecting arbitrary SQL queries. The core weakness is an incorrect access control (CWE-284), which results in session poisoning—where an attacker can overwrite or inject malicious data into a user's session context. This can lead to stored cross-site scripting (XSS) attacks if the injected SQL queries or session data are rendered in the user interface without sanitization. Additionally, unauthorized access to sensitive session data may occur, potentially exposing confidential information or enabling further exploitation. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), and impacts confidentiality and integrity with a CVSS v3.1 base score of 6.1. No patches or known exploits are currently available, highlighting the need for proactive mitigation. The vulnerability's scope is 'changed' (S:C), indicating that exploitation affects resources beyond the vulnerable component, such as session data accessible across the application.

For European organizations, the exploitation of this vulnerability could lead to unauthorized access to sensitive database session data, potentially exposing confidential business or customer information. Session poisoning and stored XSS could allow attackers to hijack user sessions, execute arbitrary scripts in the context of authenticated users, or manipulate database queries, which may result in data integrity issues or unauthorized data retrieval. Organizations relying on phpPgAdmin for PostgreSQL management, especially in sectors handling sensitive data such as finance, healthcare, or government, face increased risks of data breaches and compliance violations under GDPR. The medium severity score reflects a moderate but tangible risk, particularly as exploitation does not require authentication but does need user interaction, such as clicking a crafted link. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. Disruption to database administration workflows and potential reputational damage are additional concerns.

European organizations should immediately review their phpPgAdmin deployments and restrict access to trusted administrators only, ideally limiting access via VPN or internal networks. Implement web application firewalls (WAFs) with rules to detect and block suspicious parameter manipulation targeting sql.php. Monitor session variables and logs for unusual activity indicative of session poisoning or injection attempts. Until an official patch is released, consider disabling or restricting the vulnerable sql.php functionality if feasible. Educate users to avoid clicking untrusted links that could trigger malicious parameter injection. Employ Content Security Policy (CSP) headers to mitigate the impact of stored XSS attacks. Regularly update phpPgAdmin to the latest versions once patches become available. Additionally, conduct security audits of session management and parameter validation mechanisms within phpPgAdmin and related tools. For PostgreSQL environments, ensure that database access controls and logging are robust to detect and respond to suspicious queries or access patterns.