Description
SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/Admidio/admidio/security/advisories/GHSA-qh57-rcff-gx54
Third Party Advisory x_refsource_misc
https://github.com/Admidio/admidio/issues/908
Scores
CVSS v3
7.7
EPSS
0.0029
EPSS Percentile
52.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-89
Status
published
Products (1)
admidio/admidio
< 3.3.13
Published
Apr 24, 2020
Tracked Since
Feb 18, 2026