Fasse

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 5.0.6 **Description** Admidio is a user management solution. A flaw exists in the event participation logic within the `modules/events/events function.php` file. This allows any user permitted to participate in an event to register or cancel participation for other users by manipulating the `user uuid` GET parameter. The issue stems from an incorrect conditional statement using the OR operator (`||`), which allows any user to specify a different `user uuid` and operate on the target user's ID (`usr id`) instead of the current user's ID. This could lead to unwanted registrations, cancellations, or manipulation of event participant data. The vulnerable code operates on `$user->getValue('usr id')`. **Recommendations** Versions prior to 5.0.6 should be updated to version 5.0.6 or later. As a temporary workaround, for non-leader users, force the `user uuid` parameter to the current user's UUID.

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 4.0.4 **Description** The issue is related to an authenticated remote code execution (RCE) vulnerability via .phar file upload in Admidio. An attacker with upload permissions can rename a PHP web shell with a .phar extension and trigger the payload for a reverse/bind shell by visiting the file. This can be exploited through the Documents & Files upload feature. The vulnerability can be mitigated by excluding .phar file extensions from being uploaded. **Recommendations** For versions prior to 4.0.4, update to version 4.0.4 to resolve the issue. As a temporary workaround, consider excluding .phar file extensions from being uploaded to prevent exploitation.