8 matches found
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-32757
CVE-2026-32757 (Admidio) : Multiple sources detail an HTMLPurifier bypass in the eCard feature for Admidio
CVE-2026-32757
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...
GHSA-4WR4-F2QF-X5WJ Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other...
PT-2026-25855
Summary The eCard send handler in Admidio uses the raw $ POST'ecard message' value instead of the HTMLPurifier-sanitized $formValues'ecard message' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sen...