PT-2024-5487 · Admidio · Admidio
Umeradeemcheema
·
Published
2024-07-26
·
Updated
2024-08-05
·
CVE-2024-38529
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
Admidio versions prior to 4.3.10
Description
A Remote Code Execution issue exists in the Message module of the Admidio Application. This is due to the lack of file extension verification, allowing malicious files to be uploaded to the server. The uploaded file can be accessed publicly through the URL
{admidio base url}/adm my files/messages attachments/{file name}. An attacker can upload a PHP web shell that executes OS commands on the server, compromising the application server. This can lead to a complete compromise of the server, allowing the attacker to execute arbitrary code or commands, access, modify, or delete sensitive data, install malicious software or scripts, gain further access to internal networks, and disrupt services and applications hosted on the server.Recommendations
- For versions prior to 4.3.10, update to version 4.3.10 to fix the vulnerability.
- As a temporary workaround, consider disabling the file upload feature in the Message module until a patch is available.
- Restrict access to the
{admidio base url}/adm my files/messages attachments/{file name}endpoint to minimize the risk of exploitation. - Implement strict file extension verification to ensure that only allowed file types can be uploaded.
- Reject any file upload with disallowed or suspicious extensions such as .php, .phtml, .exe, etc.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Admidio