CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0991 – Insufficient Session Expiration in admidio/admidio
https://notcve.org/view.php?id=CVE-2022-0991
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9. Una Expiración de Sesión Insuficiente en el repositorio de GitHub admidio/admidio versiones anteriores a 4.1.9 • https://github.com/admidio/admidio/commit/e84e472ebe517e2ff5795c46dc10b5f49dc4d46a https://huntr.dev/bounties/1c406a4e-15d0-4920-8495-731c48473ba4 • CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43810 – Cross-site Scripting (XSS) when redirect an url
https://notcve.org/view.php?id=CVE-2021-43810
Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12. • https://github.com/Admidio/admidio/commit/c043267d362f7813543cc2785119bf3e3e54fe21 https://github.com/Admidio/admidio/commit/fcb0609abc1d2f65bc1377866bd678e5d891404b https://github.com/Admidio/admidio/releases/tag/v4.0.12 https://github.com/Admidio/admidio/security/advisories/GHSA-3qgf-qgc3-42hh • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32630 – Various
https://notcve.org/view.php?id=CVE-2021-32630
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). • https://github.com/Admidio/admidio/issues/994 https://github.com/Admidio/admidio/releases/tag/v4.0.4 https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11004 – SQL Injection in Admidio
https://notcve.org/view.php?id=CVE-2020-11004
SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13. Se descubrió una Inyección SQL en Admidio versiones anteriores a la versión 3.3.13. • https://github.com/Admidio/admidio/commit/ea5d6f114b151ed11ec0ad7cb47bd729e77a874a https://github.com/Admidio/admidio/issues/908 https://github.com/Admidio/admidio/security/advisories/GHSA-qh57-rcff-gx54 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8382 – Admidio 3.2.8 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2017-8382
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts. Admidio 3.2.8 tiene CSRF en adm_program/modules/members/members_function.php con un impacto de eliminar cuentas de usuario arbitrarias. Admidio version 3.2.8 suffers from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/42005 http://en.0day.today/exploit/27771 https://github.com/Admidio/admidio/issues/612 https://github.com/faizzaidi/Admidio-3.2.8-CSRF-POC-by-Provensec-llc • CWE-352: Cross-Site Request Forgery (CSRF) •