SQL Injection in Admidio Application /adm_program/modules/ecards/ecard_send.php
CVE-2024-37906

8.8HIGH

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 29 July 2024

What is CVE-2024-37906?

Admidio, a free and open-source user management platform for organizations and groups, is impacted by a SQL Injection vulnerability found in the ecard_send.php file within the application. This security flaw, present in versions prior to 4.3.9, allows malicious users to manipulate SQL queries through the ecard_recipients POST parameter, leading to potential unauthorized access to the application's database. Exploitation techniques include blind, time-based, and out-of-band SQL injection methods, making it essential for users to upgrade to version 4.3.9 or later to mitigate the risk.

Affected Version(s)

admidio < 4.3.9

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Admidio/admidio/commit/3ff02b0c64a6911...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 29, 2024
Vulnerability Reserved
Jun 10, 2024

CVE-2024-37906 Data

JSON