CVE-2021-32630 - OpenCVE

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Admidio	Admidio

Configuration 1 [-]

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Admidio/admidio/issues/994
https://github.com/Admidio/admidio/releases/tag/v4.0.4
https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-05-20T16:45:12

Updated: 2024-08-03T23:25:30.558Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32630

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-05-20T17:15:07.773

Modified: 2021-05-27T02:13:53.557

Link: CVE-2021-32630

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "admidio", "vendor": "Admidio", "versions": [{"status": "affected", "version": "< 4.0.4"}]}], "descriptions": [{"lang": "en", "value": "Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-20T16:45:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/issues/994"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/releases/tag/v4.0.4"}], "source": {"advisory": "GHSA-xpqj-67r8-25j2", "discovery": "UNKNOWN"}, "title": "Various ", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32630", "STATE": "PUBLIC", "TITLE": "Various "}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "admidio", "version": {"version_data": [{"version_value": "< 4.0.4"}]}}]}, "vendor_name": "Admidio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2", "refsource": "CONFIRM", "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2"}, {"name": "https://github.com/Admidio/admidio/issues/994", "refsource": "MISC", "url": "https://github.com/Admidio/admidio/issues/994"}, {"name": "https://github.com/Admidio/admidio/releases/tag/v4.0.4", "refsource": "MISC", "url": "https://github.com/Admidio/admidio/releases/tag/v4.0.4"}]}, "source": {"advisory": "GHSA-xpqj-67r8-25j2", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:30.558Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Admidio/admidio/issues/994"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Admidio/admidio/releases/tag/v4.0.4"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32630", "datePublished": "2021-05-20T16:45:12", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:25:30.558Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "matchCriteriaId": "2648A1F8-BEE6-468C-8FFD-BC8B014A3006", "versionEndExcluding": "4.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4."}, {"lang": "es", "value": "Admidio es un sistema de administraci\u00f3n de usuarios de c\u00f3digo abierto y gratuito para sitios web de organizaciones y grupos. En Admidio versiones anteriores a 4.0.4, presenta un RCE autenticado por medio de la carga de archivos .phar. Puede ser cargado un shell web php por medio de la carga de la funcionalidad Documents & Files. Alguien con permisos de carga podr\u00eda renombrar el shell php con una extensi\u00f3n .phar, visitar el archivo, desencadenando la carga \u00fatil para un shell reverse/bind. Esto puede ser mitigado al excluir una extensi\u00f3n de archivo .phar para cargar (como lo hizo con .php .phtml .php5, etc.). La vulnerabilidad est\u00e1 parcheada en versi\u00f3n 4.0.4"}], "id": "CVE-2021-32630", "lastModified": "2021-05-27T02:13:53.557", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-05-20T17:15:07.773", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Admidio/admidio/issues/994"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Admidio/admidio/releases/tag/v4.0.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}