GHSA-7c4c-749j-pfp2

Suggest an improvement
Source
https://github.com/advisories/GHSA-7c4c-749j-pfp2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-7c4c-749j-pfp2/GHSA-7c4c-749j-pfp2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7c4c-749j-pfp2
Aliases
Published
2024-10-16T19:50:40Z
Modified
2024-10-16T22:26:07.747718Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Admidio Vulnerable to HTML Injection In The Messages Section
Details

Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PoC

  1. Go to https://www.admidio.org/demoen/admprogram/modules/messages/messages.php
  2. Click on Send Private Message
  3. In the Message field, enter the following payload Testing<br><h1>HTML</h1><br><h2>Injection</h2>

image

  1. Send the message
  2. Open the message again

image

Impact

  1. Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
  2. Session Hijacking: Gaining unauthorized access to user accounts.
  3. Phishing: Tricking users into revealing sensitive information.
  4. Website Defacement: Altering the appearance or content of the website.
  5. Malware Distribution: Spreading malware to users' devices.
  6. Denial of Service (DoS): Overloading the server with malicious requests.
Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-16T19:50:40Z",
    "cwe_ids": [
        "CWE-502",
        "CWE-79"
    ],
    "nvd_published_at": "2024-10-16T20:15:06Z",
    "severity": "LOW"
}
References

Affected packages

Packagist / admidio/admidio

Package

Name
admidio/admidio
Purl
pkg:composer/admidio/admidio

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.12

Affected versions

4.*
4.1.0
4.1.3
v4.*
v4.2-Beta.1
v4.2-Beta.2
v4.2-Beta.3
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.2.10
v4.2.11
v4.2.12
v4.2.13
v4.2.14
v4.3-Beta.1
v4.3-Beta.3
v4.3-Beta.4
v4.3-Beta.5
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.3.9
v4.3.10
v4.3.11

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-7c4c-749j-pfp2/GHSA-7c4c-749j-pfp2.json"