Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03YzRjLTc0OWotcGZwMs4ABAWE

Admidio Vulnerable to HTML Injection In The Messages Section

Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PoC

Go to
https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
Click on Send Private Message
In the Message field, enter the following payload
Testing<br><h1>HTML</h1><br><h2>Injection</h2>

Send the message
Open the message again

Impact

Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
Session Hijacking: Gaining unauthorized access to user accounts.
Phishing: Tricking users into revealing sensitive information.
Website Defacement: Altering the appearance or content of the website.
Malware Distribution: Spreading malware to users' devices.
Denial of Service (DoS): Overloading the server with malicious requests.

Permalink: https://github.com/advisories/GHSA-7c4c-749j-pfp2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03YzRjLTc0OWotcGZwMs4ABAWE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 1 day ago
Updated: 1 day ago

CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Identifiers: GHSA-7c4c-749j-pfp2, CVE-2024-47836
References:

Repository: https://github.com/Admidio/admidio
Blast Radius: 0.0

Affected Packages

packagist:admidio/admidio

Dependent packages: 1
Dependent repositories: 1
Downloads: 17 total
Affected Version Ranges: < 4.3.12
Fixed in: 4.3.12
All affected versions: 4.1.0, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11
All unaffected versions: