SB2022011108 - Multiple vulnerabilities in Admidio
Published: January 11, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Code Injection (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in menu. A remote user can send inject and execute arbitrary JavaScript code via the Url entry.
2) Stored cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the FaceBook URL field. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Code Injection (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in the Web links feature. A remote user can execute arbitrary JavaScript code in the victim's browser.
Remediation
Install update from vendor's website.
References
- https://github.com/Admidio/admidio/releases/tag/v4.0.13
- https://github.com/Admidio/admidio/issues/1138
- https://www.huntr.dev/bounties/d3f3ce78-4a30-457d-982e-70d74e68efeb/
- https://github.com/Admidio/admidio/issues/1144
- https://www.huntr.dev/bounties/357c5855-1f71-4881-993c-5a3b13da0dd3/
- https://github.com/Admidio/admidio/issues/1159