Advisories for Composer/Admidio/Admidio package

2024

Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment

Description: Remote Code Execution Vulnerability has been identified in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL {admidio_base_url}/adm_my_files/messages_attachments/{file_name}. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. An attacker can …

Admidio has Blind SQL Injection in ecard_send.php

Description: An SQL Injection has been identified in the /adm_program/modules/ecards/ecard_send.php source file of the Admidio Application. The SQL Injection results in a compromise of the application's database. The value of ecard_recipients POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection …

2023
2022