Admidio

Admidio is an open-source user management solution. Prior to version 4.3.17, an authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 4.3.17.

Published: 2025-10-22T21:19:00.940Z
Updated: 2025-10-23T16:17:28.926Z

Admidio is an open-source user management solution. Prior to version 4.3.12, an unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Version 4.3.12 fixes this issue.

Published: 2024-10-16T19:43:07.894Z
Updated: 2024-10-16T20:07:29.259Z

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10.

Published: 2024-07-29T14:29:51.147Z
Updated: 2024-08-02T04:12:25.623Z

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application's database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.

Published: 2024-07-29T14:22:57.188Z
Updated: 2024-08-02T04:04:23.431Z

Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11.

Published: 2023-08-06T00:00:20.469Z
Updated: 2024-10-09T18:21:42.840Z

Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10.

Published: 2023-07-16T00:00:20.410Z
Updated: 2024-10-28T20:07:05.935Z

Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

Published: 2023-06-23T00:00:00.000Z
Updated: 2024-11-07T19:58:09.309Z

Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

Published: 2023-06-23T00:00:00.000Z
Updated: 2024-11-07T20:01:13.744Z

Improper Neutralization of Formula Elements in a CSV File in GitHub repository admidio/admidio prior to 4.2.9.

Published: 2023-06-23T00:00:00.000Z
Updated: 2024-11-07T20:05:51.366Z

Cross-site Scripting (XSS) - Stored in GitHub repository admidio/admidio prior to 4.2.8.

Published: 2023-06-05T00:00:00.000Z
Updated: 2025-01-08T17:25:43.782Z

Admidio 4.1.2 version is affected by stored cross-site scripting (XSS).

Published: 2022-06-28T12:11:53.000Z
Updated: 2024-08-03T03:59:22.479Z

Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.

Published: 2022-03-19T07:35:09.000Z
Updated: 2024-08-02T23:47:42.882Z

Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.

Published: 2021-12-07T22:00:12.000Z
Updated: 2024-08-04T04:03:08.738Z

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4.

Published: 2021-05-20T16:45:12.000Z
Updated: 2024-08-03T23:25:30.558Z

SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13.

Published: 2020-04-24T20:25:14.000Z
Updated: 2024-08-04T11:21:14.613Z

Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles, rol_approve_users, and rol_edit_user set to 1 to escalate privileges without authentication.

Published: 2026-05-25T14:15:15.780Z
Updated: 2026-05-26T15:00:45.492Z