Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS03YzRjLTc0OWotcGZwMs4ABAWE

Admidio Vulnerable to HTML Injection In The Messages Section

Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PoC

1. Go to
   https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
2. Click on Send Private Message
3. In the Message field, enter the following payload
   Testing<br><h1>HTML</h1><br><h2>Injection</h2>

4. Send the message
5. Open the message again

Impact

1. Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
2. Session Hijacking: Gaining unauthorized access to user accounts.
3. Phishing: Tricking users into revealing sensitive information.
4. Website Defacement: Altering the appearance or content of the website.
5. Malware Distribution: Spreading malware to users' devices.
6. Denial of Service (DoS): Overloading the server with malicious requests.

Permalink: https://github.com/advisories/GHSA-7c4c-749j-pfp2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03YzRjLTc0OWotcGZwMs4ABAWE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 month ago
Updated: about 1 month ago

CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Identifiers: GHSA-7c4c-749j-pfp2, CVE-2024-47836
References:

• https://github.com/Admidio/admidio/security/advisories/GHSA-7c4c-749j-pfp2
• https://github.com/Admidio/admidio/commit/176f60de6a38dde2b8e848b97647194c12cf5a6c
• https://nvd.nist.gov/vuln/detail/CVE-2024-47836
• https://github.com/advisories/GHSA-7c4c-749j-pfp2

Repository: https://github.com/Admidio/admidio
Blast Radius: 0.0

Affected Packages