CVE-2024-47836

LOW3.5EPSS 1.6%

Admidio Vulnerable to HTML Injection In The Messages Section

Published: 10/16/2024Modified: 10/16/2024
Also known as:GHSA-7c4c-749j-pfp2

Description

### Summary An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. ### PoC 1. Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php 2. Click on Send Private Message 3. In the `Message` field, enter the following payload `Testing<br><h1>HTML</h1><br><h2>Injection</h2>` > ![image](https://github.com/user-attachments/assets/0e5d9e4e-69c5-4908-9ab9-0c45c2548ff8) 4. Send the message 5. Open the message again > ![image](https://github.com/user-attachments/assets/d36f1b64-7d96-486d-ab65-cce2b7d21428) ### Impact 1. Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials. 2. Session Hijacking: Gaining unauthorized access to user accounts. 3. Phishing: Tricking users into revealing sensitive information. 4. Website Defacement: Altering the appearance or content of the website. 5. Malware Distribution: Spreading malware to users' devices. 6. Denial of Service (DoS): Overloading the server with malicious requests.

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1LOW3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

References (4)