Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-7c4c-749j-pfp2

GitHub Security Advisory

Admidio Vulnerable to HTML Injection In The Messages Section

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

### Summary
An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

### PoC
1. Go to
https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
2. Click on Send Private Message
3. In the `Message` field, enter the following payload
`Testing<br><h1>HTML</h1><br><h2>Injection</h2>`

>
![image](https://github.com/user-attachments/assets/0e5d9e4e-69c5-4908-9ab9-0c45c2548ff8)

4. Send the message
5. Open the message again

>
![image](https://github.com/user-attachments/assets/d36f1b64-7d96-486d-ab65-cce2b7d21428)

### Impact
1. Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
2. Session Hijacking: Gaining unauthorized access to user accounts.
3. Phishing: Tricking users into revealing sensitive information.
4. Website Defacement: Altering the appearance or content of the website.
5. Malware Distribution: Spreading malware to users' devices.
6. Denial of Service (DoS): Overloading the server with malicious requests.

Affected Packages

Packagist admidio/admidio
Affected versions: 0 (fixed in 4.3.12)

Related CVEs

CVE-2024-47836

Key Information

GHSA ID
GHSA-7c4c-749j-pfp2
Published
October 16, 2024 7:50 PM
Last Modified
October 16, 2024 10:07 PM
CVSS Score
2.5 /10
Primary Ecosystem
Packagist
Primary Package
admidio/admidio
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.