Headline

GHSA-7c4c-749j-pfp2: Admidio Vulnerable to HTML Injection In The Messages Section

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
Click on Send Private Message
In the Message field, enter the following payload Testing<br><h1>HTML</h1><br><h2>Injection</h2>

Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
Session Hijacking: Gaining unauthorized access to user accounts.
Phishing: Tricking users into revealing sensitive information.
Website Defacement: Altering the appearance or content of the website.
Malware Distribution: Spreading malware to users’ devices.
Denial of Service (DoS): Overloading the server with malicious requests.

1 month ago

Admidio Vulnerable to HTML Injection In The Messages Section

Low severity GitHub Reviewed Published Oct 16, 2024 in Admidio/admidio • Updated Oct 16, 2024

Package

composer admidio/admidio (Composer)

Affected versions

< 4.3.12

Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PoC

Go to
https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
Click on Send Private Message
In the Message field, enter the following payload
Testing<br><h1>HTML</h1><br><h2>Injection</h2>
Send the message
Open the message again

Impact

Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
Session Hijacking: Gaining unauthorized access to user accounts.
Phishing: Tricking users into revealing sensitive information.
Website Defacement: Altering the appearance or content of the website.
Malware Distribution: Spreading malware to users’ devices.
Denial of Service (DoS): Overloading the server with malicious requests.

References