CVE-2025-62617

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 4.3.17

Description Admidio, a user management solution, contains a SQL injection issue in the member assignment data retrieval functionality. An authenticated user with role assignment permissions can execute arbitrary SQL commands, potentially leading to a full compromise of the application's database, including data reading, modification, and deletion. The vulnerability resides in the adm program/modules/groups-roles/members assignment data.php script, specifically in how the filter rol uuid GET parameter is handled. The parameter is not sufficiently sanitized before being used in a raw SQL query. The vulnerable code directly concatenates the filter rol uuid variable into the SQL query, allowing an attacker to inject malicious SQL code. The vulnerable file is adm program/modules/groups-roles/members assignment data.php. The vulnerable parameter is filter rol uuid.

Recommendations Update to Admidio version 4.3.17 or later.