CVE-2024-37906 (GCVE-0-2024-37906)
Vulnerability from cvelistv5 – Published: 2024-07-29 14:22 – Updated: 2024-08-02 04:04
VLAI?
Title
Admidio has Blind SQL Injection in ecard_send.php
Summary
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application's database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.
Severity ?
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "admidio",
"vendor": "admidio",
"versions": [
{
"lessThan": "4.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37906",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T15:08:05.485702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T15:09:45.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:23.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3"
},
{
"name": "https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "admidio",
"vendor": "Admidio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application\u0027s database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T14:22:57.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3"
},
{
"name": "https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248"
}
],
"source": {
"advisory": "GHSA-69wx-xc6j-28v3",
"discovery": "UNKNOWN"
},
"title": "Admidio has Blind SQL Injection in ecard_send.php"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37906",
"datePublished": "2024-07-29T14:22:57.188Z",
"dateReserved": "2024-06-10T19:54:41.362Z",
"dateUpdated": "2024-08-02T04:04:23.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application\u0027s database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.\"}, {\"lang\": \"es\", \"value\": \"Admidio es un sistema de gesti\\u00f3n de usuarios gratuito y de c\\u00f3digo abierto para sitios web de organizaciones y grupos. En Admidio anterior a la versi\\u00f3n 4.3.9, hay una inyecci\\u00f3n SQL en el archivo fuente `/adm_program/modules/ecards/ecard_send.php` de la aplicaci\\u00f3n Admidio. La inyecci\\u00f3n SQL resulta en un compromiso de la base de datos de la aplicaci\\u00f3n. El valor del par\\u00e1metro POST `ecard_recipients `se concatena directamente con la consulta SQL en el c\\u00f3digo fuente que causa la inyecci\\u00f3n SQL. La inyecci\\u00f3n SQL puede ser explotada por un usuario miembro, utilizando cargas \\u00fatiles de inyecci\\u00f3n SQL ciegas basadas en condiciones, basadas en tiempo y fuera de banda. Esta vulnerabilidad se solucion\\u00f3 en 4.3.9.\"}]",
"id": "CVE-2024-37906",
"lastModified": "2024-11-21T09:24:30.690",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 6.0}]}",
"published": "2024-07-29T15:15:10.747",
"references": "[{\"url\": \"https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-37906\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-29T15:15:10.747\",\"lastModified\":\"2025-03-06T14:55:28.160\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application\u0027s database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.\"},{\"lang\":\"es\",\"value\":\"Admidio es un sistema de gesti\u00f3n de usuarios gratuito y de c\u00f3digo abierto para sitios web de organizaciones y grupos. En Admidio anterior a la versi\u00f3n 4.3.9, hay una inyecci\u00f3n SQL en el archivo fuente `/adm_program/modules/ecards/ecard_send.php` de la aplicaci\u00f3n Admidio. La inyecci\u00f3n SQL resulta en un compromiso de la base de datos de la aplicaci\u00f3n. El valor del par\u00e1metro POST `ecard_recipients `se concatena directamente con la consulta SQL en el c\u00f3digo fuente que causa la inyecci\u00f3n SQL. La inyecci\u00f3n SQL puede ser explotada por un usuario miembro, utilizando cargas \u00fatiles de inyecci\u00f3n SQL ciegas basadas en condiciones, basadas en tiempo y fuera de banda. Esta vulnerabilidad se solucion\u00f3 en 4.3.9.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.3.9\",\"matchCriteriaId\":\"FA2DCF7C-EA85-432B-A8BF-F85600D19D7A\"}]}]}],\"references\":[{\"url\":\"https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3\", \"name\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248\", \"name\": \"https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:04:23.431Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-37906\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-29T15:08:05.485702Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*\"], \"vendor\": \"admidio\", \"product\": \"admidio\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.3.9\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-29T15:09:41.011Z\"}}], \"cna\": {\"title\": \"Admidio has Blind SQL Injection in ecard_send.php\", \"source\": {\"advisory\": \"GHSA-69wx-xc6j-28v3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Admidio\", \"product\": \"admidio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.3.9\"}]}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3\", \"name\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248\", \"name\": \"https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application\u0027s database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-29T14:22:57.188Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-37906\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:04:23.431Z\", \"dateReserved\": \"2024-06-10T19:54:41.362Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-29T14:22:57.188Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2024-37906
Vulnerability from fkie_nvd - Published: 2024-07-29 15:15 - Updated: 2025-03-06 14:55
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application's database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2DCF7C-EA85-432B-A8BF-F85600D19D7A",
"versionEndExcluding": "4.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application\u0027s database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9."
},
{
"lang": "es",
"value": "Admidio es un sistema de gesti\u00f3n de usuarios gratuito y de c\u00f3digo abierto para sitios web de organizaciones y grupos. En Admidio anterior a la versi\u00f3n 4.3.9, hay una inyecci\u00f3n SQL en el archivo fuente `/adm_program/modules/ecards/ecard_send.php` de la aplicaci\u00f3n Admidio. La inyecci\u00f3n SQL resulta en un compromiso de la base de datos de la aplicaci\u00f3n. El valor del par\u00e1metro POST `ecard_recipients `se concatena directamente con la consulta SQL en el c\u00f3digo fuente que causa la inyecci\u00f3n SQL. La inyecci\u00f3n SQL puede ser explotada por un usuario miembro, utilizando cargas \u00fatiles de inyecci\u00f3n SQL ciegas basadas en condiciones, basadas en tiempo y fuera de banda. Esta vulnerabilidad se solucion\u00f3 en 4.3.9."
}
],
"id": "CVE-2024-37906",
"lastModified": "2025-03-06T14:55:28.160",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-29T15:15:10.747",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-69WX-XC6J-28V3
Vulnerability from github – Published: 2024-07-29 16:31 – Updated: 2024-07-29 16:31
VLAI?
Summary
Admidio has Blind SQL Injection in ecard_send.php
Details
Description:
An SQL Injection has been identified in the /adm_program/modules/ecards/ecard_send.php source file of the Admidio Application. The SQL Injection results in a compromise of the application's database. The value of ecard_recipientsPOST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection.
The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. I successfully exploited SQL Injections by causing Time Delays. Advancing the payload, I was able to exfiltrate data from the database based on trial and error conditions and step-wise enumerating the characters of the database name. This was done as a POC of SQL Injection. An attacker could simply drop the database by providing a single payload, steal data, and potentially update the database according to their will.
Impact:
SQL injection (SQLi) vulnerabilities can have serious consequences for the security of a web application and its underlying database. Attackers can use SQLi to access sensitive data, and modify, delete, or add data to the database. SQLi can also be potentially used to perform RCE.
Remediation:
Use parameterized queries or prepared statements instead of concatenating user input directly into SQL queries. Parameterized queries ensure that user input is treated as data and not executable queries. OR Sanitize the input before including it in the SQL Query.
Steps to Reproduce:
- Intercept the POST request to
/adm_program/modules/ecards/ecard_send.php, which is used to send photo as greeting card. - Change the value of
ecard_recipients%5B%5DPOST parameter to2%2bsleep(10). - Sending the request will cause a time delay.
Proof Of Concept:
Figure 1: Code Vulnerable to SQL Injection
Figure 2: Code Vulnerable to SQL Injection
Figure 3: SQLi to trigger time delay
Figure 4: Data Exfiltration via Condition-based Time Delays
Severity ?
9.9 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37906"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-29T16:31:46Z",
"nvd_published_at": "2024-07-29T15:15:10Z",
"severity": "CRITICAL"
},
"details": "### Description:\nAn SQL Injection has been identified in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application\u0027s database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection.\n\nThe SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. I successfully exploited SQL Injections by causing Time Delays. Advancing the payload, I was able to exfiltrate data from the database based on trial and error conditions and step-wise enumerating the characters of the database name. This was done as a POC of SQL Injection. An attacker could simply drop the database by providing a single payload, steal data, and potentially update the database according to their will. \n\n### Impact:\nSQL injection (SQLi) vulnerabilities can have serious consequences for the security of a web application and its underlying database. Attackers can use SQLi to access sensitive data, and modify, delete, or add data to the database. SQLi can also be potentially used to perform RCE. \n\n### Remediation:\nUse parameterized queries or prepared statements instead of concatenating user input directly into SQL queries. Parameterized queries ensure that user input is treated as data and not executable queries. \nOR \nSanitize the input before including it in the SQL Query.\n\n### Steps to Reproduce:\n- Intercept the POST request to `/adm_program/modules/ecards/ecard_send.php`, which is used to send photo as greeting card.\n- Change the value of `ecard_recipients%5B%5D` POST parameter to `2%2bsleep(10)`.\n- Sending the request will cause a time delay.\n\n### Proof Of Concept:\n\n\nFigure 1: Code Vulnerable to SQL Injection\n\n\nFigure 2: Code Vulnerable to SQL Injection\n\n\nFigure 3: SQLi to trigger time delay\n\n\nFigure 4: Data Exfiltration via Condition-based Time Delays",
"id": "GHSA-69wx-xc6j-28v3",
"modified": "2024-07-29T16:31:46Z",
"published": "2024-07-29T16:31:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37906"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Admidio has Blind SQL Injection in ecard_send.php"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…