GSA_kwCzR0hTQS03YzRjLTc0OWotcGZwMs4ABAWE

Low EPSS: 0.00336% (0.5588 Percentile) EPSS:

Permalink JSON

Admidio Vulnerable to HTML Injection In The Messages Section

Affected Packages	Affected Versions	Fixed Versions
packagist:admidio/admidio	< 4.3.12	4.3.12
1 Dependent packages 1 Dependent repositories 23 Downloads total Affected Version Ranges All affected versions 4.1.0, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11 All unaffected versions 4.3.12, 4.3.13, 4.3.14, 4.3.15

Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PoC

Go to
https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
Click on Send Private Message
In the Message field, enter the following payload
Testing<br><h1>HTML</h1><br><h2>Injection</h2>

Send the message
Open the message again

Impact

Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
Session Hijacking: Gaining unauthorized access to user accounts.
Phishing: Tricking users into revealing sensitive information.
Website Defacement: Altering the appearance or content of the website.
Malware Distribution: Spreading malware to users' devices.
Denial of Service (DoS): Overloading the server with malicious requests.

References:

Identifiers

GHSA-7c4c-749j-pfp2

CVE-2024-47836

Risk

Severity

Low

EPSS

EPSS Percentage: 0.00336

EPSS Percentile: 0.5588

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/Admidio/admidio

Date and time

Published

10 months ago

Updated

10 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories