The admidio application is vulnerable to Formula Injection/CSV injection via the Firstname, Lastname input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a a crafted excel file.
=10+20+cmd|' /C calc'!A0
.Groups and roles
then show member list
and export data in CSV format.#PoC
https://drive.google.com/file/d/1YxPNFvzRPD9t3HRDN1jroBw7mxHwp4n3/view?usp=drive_link
https://drive.google.com/file/d/1cBV8TB2eE3NRbG1V_0eF3yL0oHOrez17/view?usp=drive_link