CVE: Common Vulnerabilities and Exposures

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

Expand or collapse notification button

Required CVE Record Information

Description

SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13.

CWE 1 Total

CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS 1 Total

Product Status

Versions 1 Total

Default Status: unknown

affected

References 3 Total

Updated: 2024-08-04

This container includes required additional information provided by the CVE Program for this vulnerability.

References 3 Total

https://github.com/Admidio/admidio/security/advisories/GHSA-qh57-rcff-gx54
external site
x_transferred
https://github.com/Admidio/admidio/issues/908
external site
x_transferred
https://github.com/Admidio/admidio/commit/ea5d6f114b151ed11ec0ad7cb47bd729e77a874a
external site
x_transferred