CVE-2018-25370

Admidio 3.3.5 Cross-Site Request Forgery via roles_function.php

CVSS 6.9 MEDIUMEPSS 0.2%CWE-352

Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles, rol_approve_users, and rol_edit_user set to 1 to escalate privileges without authentication.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Affected products

Admidio · Admidio

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/45322unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://sourceforge.net/projects/admidio/files/Admidio/3.3.x/admidio-3.3.5.zip/download https://www.admidio.org/https://www.exploit-db.com/exploits/45322 https://www.vulncheck.com/advisories/admidio-cross-site-request-forgery-via-roles-function-php