Critical Admidio Vulnerabilities CVE-2024-37906 and CVE-2024-38529 Revealed
Cybersecurity researchers have uncovered two critical security vulnerabilities (CVE-2024-37906 and CVE-2024-38529) in Admidio, a popular open-source user management system used by organizations and groups worldwide. These vulnerabilities could potentially allow attackers to compromise the confidentiality, integrity, and availability of sensitive data and systems.
CVE-2024-37906 (CVSS 10): Blind SQL Injection
Data Exfiltration via Condition-based Time Delays
The first vulnerability, tracked as CVE-2024-37906, is a blind SQL injection flaw in the ecard_send.php file. An attacker who is a registered member can exploit this vulnerability to exfiltrate data from the underlying database, potentially exposing sensitive information such as usernames, passwords, and personal details. In a worst-case scenario, the attacker could even execute commands on the underlying system, gaining full control of the server.
CVE-2024-38529 (CVSS 9.1): Remote Code Execution via Arbitrary File Upload
RCE via Webshell
The second vulnerability, identified as CVE-2024-38529, allows for remote code execution (RCE) through arbitrary file uploads in the message module. An attacker can exploit this flaw by uploading a malicious PHP file disguised as an attachment. Once uploaded, this file can be accessed publicly, enabling the attacker to execute arbitrary code on the server, leading to a complete takeover of the Admidio system.
Impact and Mitigation
These vulnerabilities have the potential to cause significant damage to organizations using Admidio, especially those storing sensitive information. The consequences of a successful attack could include:
- Data breaches and theft of confidential information
- Unauthorized access to systems and networks
- Disruption of services and operations
- Financial losses due to remediation and recovery
All organizations using Admidio must take immediate action to mitigate these risks. The developers of Admidio have released a patched version, 4.3.10, which addresses both vulnerabilities. Users are strongly advised to update their Admidio installations to the latest version as soon as possible.
In addition to updating, organizations should also consider implementing additional security measures, such as web application firewalls (WAFs) and intrusion detection systems (IDS), to protect against potential attacks.
