CVE-2024-37906

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 4.3.9

Description The issue is related to an SQL Injection in the /adm program/modules/ecards/ecard send.php source file of the Admidio Application. This SQL Injection results in a compromise of the application's database. The value of ecard recipients POST parameter is being directly concatenated with the SQL query in the source code, causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. An attacker could potentially access sensitive data, modify, delete, or add data to the database, and possibly perform remote code execution.

Recommendations For versions prior to 4.3.9, update to version 4.3.9 to fix the SQL Injection vulnerability. As a temporary workaround, consider using parameterized queries or prepared statements instead of concatenating user input directly into SQL queries, or sanitize the input before including it in the SQL Query. Restrict access to the /adm program/modules/ecards/ecard send.php endpoint to minimize the risk of exploitation. Avoid using the ecard recipients parameter in the affected API endpoint until the issue is resolved.