CVE-2024-38529

2024-07-2915:15:10

CWE-434

GitHub_M

web.nvd.nist.gov

admidio

remote code execution

vulnerability

file upload

php

security advisory

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

Percentile

9.4%

JSON

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL {admidio_base_url}/adm_my_files/messages_attachments/{file_name}. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10.

Affected configurations

Vulners

Node

admidioadmidioRange<4.3.10

VendorProductVersionCPE
admidioadmidio*cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
admidio	admidio	*	cpe:2.3:a:admidio:admidio::::::::

CNA Affected

[
  {
    "vendor": "Admidio",
    "product": "admidio",
    "versions": [
      {
        "version": "< 4.3.10",
        "status": "affected"
      }
    ]
  }
]