Show filters
18 Total Results
Displaying 11-18 of 18
Sort by:
Attacker Value
Unknown

CVE-2022-23896

Disclosure Date: June 28, 2022 (last updated October 07, 2023)
Admidio 4.1.2 version is affected by stored cross-site scripting (XSS).
Attacker Value
Unknown

CVE-2022-0991

Disclosure Date: March 19, 2022 (last updated October 07, 2023)
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.
Attacker Value
Unknown

CVE-2021-43810

Disclosure Date: December 07, 2021 (last updated February 23, 2025)
Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.
Attacker Value
Unknown

CVE-2021-32630

Disclosure Date: May 20, 2021 (last updated February 22, 2025)
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4.
Attacker Value
Unknown

CVE-2020-11004

Disclosure Date: April 24, 2020 (last updated February 21, 2025)
SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13.
Attacker Value
Unknown

CVE-2017-8382

Disclosure Date: May 16, 2017 (last updated November 26, 2024)
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
0
Attacker Value
Unknown

CVE-2017-6492

Disclosure Date: March 05, 2017 (last updated November 26, 2024)
SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization.
0
Attacker Value
Unknown

CVE-2008-5209

Disclosure Date: November 24, 2008 (last updated October 04, 2023)
Directory traversal vulnerability in modules/download/get_file.php in Admidio 1.4.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
0