Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7c4c-749j-pfp2: Admidio Vulnerable to HTML Injection In The Messages Section

Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PoC

  1. Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
  2. Click on Send Private Message
  3. In the Message field, enter the following payload Testing<br><h1>HTML</h1><br><h2>Injection</h2>

image

  1. Send the message
  2. Open the message again

image

Impact

  1. Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
  2. Session Hijacking: Gaining unauthorized access to user accounts.
  3. Phishing: Tricking users into revealing sensitive information.
  4. Website Defacement: Altering the appearance or content of the website.
  5. Malware Distribution: Spreading malware to users’ devices.
  6. Denial of Service (DoS): Overloading the server with malicious requests.
ghsa
#vulnerability#web#dos#git#php#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-47836

Admidio Vulnerable to HTML Injection In The Messages Section

Low severity GitHub Reviewed Published Oct 16, 2024 in Admidio/admidio • Updated Oct 16, 2024

Package

composer admidio/admidio (Composer)

Affected versions

< 4.3.12

Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PoC

  1. Go to
    https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php

  2. Click on Send Private Message

  3. In the Message field, enter the following payload
    Testing<br><h1>HTML</h1><br><h2>Injection</h2>

  4. Send the message

  5. Open the message again

Impact

  1. Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
  2. Session Hijacking: Gaining unauthorized access to user accounts.
  3. Phishing: Tricking users into revealing sensitive information.
  4. Website Defacement: Altering the appearance or content of the website.
  5. Malware Distribution: Spreading malware to users’ devices.
  6. Denial of Service (DoS): Overloading the server with malicious requests.

References

  • GHSA-7c4c-749j-pfp2
  • Admidio/admidio@176f60d

Published to the GitHub Advisory Database

Oct 16, 2024

Last updated

Oct 16, 2024

ghsa: Latest News

GHSA-vm62-9jw3-c8w3: Gogs has an argument Injection in the built-in SSH server