CVE-2020-11004

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 3.3.13

Description The issue is related to incorrect neutralization of special elements used in SQL commands, allowing for SQL injection. This can enable a remote attacker to gain unauthorized access to protected information using specially crafted SQL queries. The vulnerability impacts the confidentiality of the system. An attacker can send a GET request with arbitrary SQL queries appended to the main cookie parameter and execute SQL queries without logging in.

Recommendations For versions prior to 3.3.13, update to version 3.3.13 to resolve the issue. As a temporary workaround, consider restricting access to the SQL query functionality to minimize the risk of exploitation. Avoid using the main cookie parameter in SQL queries until the issue is resolved.