Markus Faßbender

19 exploits Active since Apr 2020
CVE-2026-34381 WRITEUP HIGH WRITEUP
Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.
CVSS 7.5
CVE-2026-34382 WRITEUP MEDIUM WRITEUP
Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
CVSS 4.6
CVE-2026-34383 WRITEUP MEDIUM WRITEUP
Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces. This issue has been patched in version 5.0.8.
CVSS 4.3
CVE-2026-34384 WRITEUP MEDIUM WRITEUP
Admidio: Missing CSRF Protection on Registration Approval Actions
Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8.
CVSS 4.5
CVE-2026-32812 WRITEUP MEDIUM WRITEUP
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, unrestricted URL fetch in the SSO Metadata API can result in SSRF and local file reads. The SSO Metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller. This issue has been fixed in version 5.0.7.
CVSS 6.8
CVE-2026-32813 WRITEUP HIGH WRITEUP
Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.
CVSS 8.0
CVE-2026-30927 WRITEUP MEDIUM WRITEUP
Admidio <5.0.6 - Privilege Escalation
Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6.
CVSS 5.4
CVE-2020-11004 WRITEUP HIGH WRITEUP
Admidio <3.3.13 - SQL Injection
SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13.
CVSS 7.7
CVE-2021-43810 WRITEUP HIGH WRITEUP
Admidio <4.0.12 - XSS
Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.
CVSS 8.8
CVE-2022-0991 WRITEUP HIGH WRITEUP
Admidio < 4.1.9 - Insufficient Session Expiration
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.
CVSS 7.1
CVE-2023-3109 WRITEUP MEDIUM WRITEUP
admidio/admidio <4.2.8 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository admidio/admidio prior to 4.2.8.
CVSS 5.4
CVE-2023-3302 WRITEUP HIGH WRITEUP
admidoi/admidio <4.2.9 - Info Disclosure
Improper Neutralization of Formula Elements in a CSV File in GitHub repository admidio/admidio prior to 4.2.9.
CVSS 7.8
CVE-2023-3303 WRITEUP LOW WRITEUP
admidio/admidio <4.2.9 - Info Disclosure
Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.
CVSS 3.5
CVE-2023-3304 WRITEUP MEDIUM WRITEUP
admidio/admidio <4.2.9 - Info Disclosure
Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.
CVSS 5.4
CVE-2023-3692 WRITEUP HIGH WRITEUP
Admidio < 4.2.10 - Unrestricted File Upload
Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10.
CVSS 7.2
CVE-2023-4190 WRITEUP MEDIUM WRITEUP
Admidio < 4.2.11 - Insufficient Session Expiration
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11.
CVSS 6.5
CVE-2024-37906 WRITEUP CRITICAL WRITEUP
Admidio < 4.3.9 - SQL Injection
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application's database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.
CVSS 9.9
CVE-2024-38529 WRITEUP CRITICAL WRITEUP
Admidio <4.3.10 - RCE
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10.
CVSS 9.0
CVE-2025-62617 WRITEUP HIGH WRITEUP
Admidio < 4.3.17 - SQL Injection
Admidio is an open-source user management solution. Prior to version 4.3.17, an authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 4.3.17.
CVSS 7.2