Filtered by vendor Admidio
Subscriptions
Filtered by product Admidio
Subscriptions
Total
17 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-38529 | 1 Admidio | 1 Admidio | 2024-11-21 | 9.1 Critical |
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10. | ||||
CVE-2023-4190 | 1 Admidio | 1 Admidio | 2024-11-21 | 6.5 Medium |
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. | ||||
CVE-2023-47380 | 1 Admidio | 1 Admidio | 2024-11-21 | 6.1 Medium |
Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). | ||||
CVE-2023-3692 | 1 Admidio | 1 Admidio | 2024-11-21 | 7.2 High |
Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10. | ||||
CVE-2023-3304 | 1 Admidio | 1 Admidio | 2024-11-21 | 5.4 Medium |
Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9. | ||||
CVE-2023-3303 | 1 Admidio | 1 Admidio | 2024-11-21 | 3.5 Low |
Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9. | ||||
CVE-2023-3302 | 1 Admidio | 1 Admidio | 2024-11-21 | 7.8 High |
Improper Neutralization of Formula Elements in a CSV File in GitHub repository admidio/admidio prior to 4.2.9. | ||||
CVE-2023-3109 | 1 Admidio | 1 Admidio | 2024-11-21 | 5.4 Medium |
Cross-site Scripting (XSS) - Stored in GitHub repository admidio/admidio prior to 4.2.8. | ||||
CVE-2022-23896 | 1 Admidio | 1 Admidio | 2024-11-21 | 5.4 Medium |
Admidio 4.1.2 version is affected by stored cross-site scripting (XSS). | ||||
CVE-2022-0991 | 1 Admidio | 1 Admidio | 2024-11-21 | 7.1 High |
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9. | ||||
CVE-2021-43810 | 1 Admidio | 1 Admidio | 2024-11-21 | 8.8 High |
Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12. | ||||
CVE-2021-32630 | 1 Admidio | 1 Admidio | 2024-11-21 | 9.6 Critical |
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4. | ||||
CVE-2020-11004 | 1 Admidio | 1 Admidio | 2024-11-21 | 7.7 High |
SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13. | ||||
CVE-2017-8382 | 1 Admidio | 1 Admidio | 2024-11-21 | N/A |
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts. | ||||
CVE-2017-6492 | 1 Admidio | 1 Admidio | 2024-11-21 | N/A |
SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization. | ||||
CVE-2008-5209 | 1 Admidio | 1 Admidio | 2024-11-21 | N/A |
Directory traversal vulnerability in modules/download/get_file.php in Admidio 1.4.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. | ||||
CVE-2024-47836 | 1 Admidio | 1 Admidio | 2024-10-18 | 3.5 Low |
Admidio is an open-source user management solution. Prior to version 4.3.12, an unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Version 4.3.12 fixes this issue. |
Page 1 of 1.