Platform
php
Component
admidio
Fixed in
4.3.10
CVE-2024-37906 describes a critical SQL Injection vulnerability affecting Admidio, a user management system for organizations. This flaw allows attackers to potentially compromise the application's database through manipulation of the ecard_recipients POST parameter. The vulnerability impacts versions of Admidio prior to 4.3.9, and a patch is available.
The SQL Injection vulnerability in Admidio allows an authenticated user to inject malicious SQL code into the ecard_recipients parameter. This can lead to unauthorized access to sensitive data stored within the Admidio database, including user credentials, organization details, and potentially other confidential information. Successful exploitation could result in complete database compromise, enabling attackers to modify, delete, or exfiltrate data. The blind, time-based, and out-of-band interaction SQL Injection techniques described in the vulnerability description suggest a sophisticated attacker could bypass common defenses and extract data even with limited feedback.
CVE-2024-37906 was publicly disclosed on July 29, 2024. The vulnerability's ease of exploitation, combined with Admidio's popularity, suggests a medium probability of exploitation (EPSS score likely medium). No public proof-of-concept (PoC) code has been publicly released as of this writing, but the vulnerability description provides sufficient detail for attackers to develop their own exploits. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.92% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37906 is to immediately upgrade Admidio to version 4.3.9 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input in the ecard_recipients parameter. Specifically, look for unusual characters or SQL keywords within the parameter value. Input validation and sanitization on the server-side can also help reduce the attack surface, although this is not a substitute for patching. Monitor Admidio logs for unusual database queries or error messages that might indicate an attempted exploit.
Update Admidio to version 4.3.9 or higher. This version contains a fix for the (SQL Injection) vulnerability. The update can be performed through the Admidio administration panel or by downloading the latest version of the software and replacing the existing files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37906 is a critical SQL Injection vulnerability in Admidio versions before 4.3.9, allowing attackers to potentially compromise the database by manipulating the ecard_recipients parameter.
You are affected if you are using Admidio versions 4.3.9 or earlier. Immediately check your version and upgrade if necessary.
Upgrade Admidio to version 4.3.9 or later. Consider implementing a WAF rule to filter malicious input as an interim measure.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation. Monitor security advisories.
Refer to the official Admidio website and security advisories for the latest information and updates regarding CVE-2024-37906.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.