CVE-2024-38529 Information
Description
Admidio is a free open source user management system for websites of organizations and groups. In Admidio before version 4.3.10 there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL admidio_base_url/adm_my_files/messages_attachments/file_name. The vulnerability is caused due to the lack of file extension verification allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10.
Reference
https://github.com/Admidio/admidio/security/advisories/GHSA-g872-jwwr-vggm
https://github.com/Admidio/admidio/commit/3b1cc1cda05747edebe15f2825b79bc5a673d94c
Admidio
is
a
free
open
source
user
management
system
for
websites
of
organizations
and
groups.
In
Admidio
before
version
4.3.10
there
is
a
Remote
Code
Execution
Vulnerability
in
the
Message
module
of
the
Admidio
Application
where
it
is
possible
to
upload
a
PHP
file
in
the
attachment.
The
uploaded
file
can
be
accessed
publicly
through
the
URL
{admidio_base_url}/adm_my_files/messages_attachments/{file_name}.
The
vulnerability
is
caused
due
to
the
lack
of
file
extension
verification
allowing
malicious
files
to
be
uploaded
to
the
server
and
public
availability
of
the
uploaded
file.
This
vulnerability
is
fixed
in
4.3.10.