How severe is GHSA-ph84-r98x-2j22?

GHSA-ph84-r98x-2j22 has a CVSS score of 4.5/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-ph84-r98x-2j22?

GHSA-ph84-r98x-2j22 affects the following packages: admidio/admidio (Packagist). Ecosystems affected: Packagist.

How do I fix GHSA-ph84-r98x-2j22?

Update admidio/admidio to 5.0.8 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-ph84-r98x-2j22 is resolved across your whole dependency graph.

How do I detect GHSA-ph84-r98x-2j22 in my Packagist dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for admidio/admidio. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-ph84-r98x-2j22 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-ph84-r98x-2j22?

O3 pinpoints whether GHSA-ph84-r98x-2j22 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-ph84-r98x-2j22 actively exploited in the wild?

No public exploit code has been indexed for GHSA-ph84-r98x-2j22 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-ph84-r98x-2j22?

GHSA-ph84-r98x-2j22 has an EPSS (Exploit Prediction Scoring System) score of 0.2%, placing it in the 6th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-ph84-r98x-2j22?

GHSA-ph84-r98x-2j22 is classified as Cross-Site Request Forgery (CSRF) (CWE-352). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-ph84-r98x-2j22 published, and has it been updated?

GHSA-ph84-r98x-2j22 was published on March 31, 2026 and was last updated on March 31, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐘 Packagist

GHSA-ph84-r98x-2j22

MEDIUM

Admidio has Missing CSRF Protection on Registration Approval Actions

Also known asCVE-2026-34384

Published

Mar 31, 2026

Updated

Mar 31, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.2%probability of exploitation in next 30 days

Lower Risk6th percentile+0.16%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐘admidio/admidio

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely.

Details

CSRF Protection Is Present for delete_user but Absent for Approval Modes

File: modules/registration.php, lines 90-128

The delete_user mode validates the CSRF token (line 99), but the three approval modes do not:

// assign_member and assign_user: no CSRF check
} elseif (in_array($getMode, array('assign_member', 'assign_user'))) {
    $registrationService = new RegistrationService($gDb, $getUserUUID);
    $message = $registrationService->assignRegistration($getUserUUIDAssigned, $getMode === 'assign_member');
    $gMessage->setForwardUrl($message['forwardUrl']);
    $gMessage->show($message['message']);

// create_user: no CSRF check
} elseif ($getMode === 'create_user') {
    $registrationUser->acceptRegistration();
    if ($gCurrentUser->isAdministratorRoles()) {
        admRedirect(SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES.'/profile/roles.php',
            array('accept_registration' => true, 'user_uuid' => $getUserUUID)));
    }

// delete_user: CSRF IS validated
} elseif ($getMode === 'delete_user') {
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']); // <-- protected
    $registrationUser->delete();
}

The three approval modes read both UUIDs exclusively from $_GET (lines 41-43):

The approve action modes accept $_GET parameters user_uuid and user_uuid_assigned without any POST body or CSRF token. Both parameters pass through admFuncVariableIsValid() with uuid type validation, which prevents SQL injection but provides no CSRF protection.

User UUID Is Known to the Attacker from Registration Email

File: D:/bugcrowd/admidio/repo/src/Infrastructure/Service/RegistrationService.php, lines 154-157

When a user submits a registration, Admidio sends a confirmation email containing a URL of the form:

https://TARGET/adm_program/modules/registration.php?id=VALIDATION_ID&user_uuid=REGISTRANT_UUID

The user_uuid in this URL is the registrant's own UUID. The attacker has this UUID because they received the confirmation email for their own registration.

isAdministratorRegistration() Is a Delegated Right

File: D:/bugcrowd/admidio/repo/src/Users/Entity/User.php, lines 1603-1606

public function isAdministratorRegistration(): bool
{
    return $this->checkRolesRight('rol_approve_users');
}

The rol_approve_users right is a delegated organizational privilege, not full system administrator access. Any member designated to review registrations -- for example, a membership secretary or club administrator -- is a valid CSRF victim.

PoC

Scenario: Attacker bypasses manual registration approval

Prerequisites: (1) Manual registration approval is enabled. (2) The attacker submits a registration form and receives a confirmation email with their user_uuid. (3) After clicking the confirmation link, their registration enters the pending queue.

Step 1: Attacker extracts their own user_uuid from the registration email

The confirmation email contains a link of the form:

https://TARGET/adm_program/modules/registration.php?id=VALIDATION_ID&user_uuid=ATTACKER_UUID

The ATTACKER_UUID is visible to the attacker from their own email.

Step 2: CSRF auto-approval via image tag

The attacker hosts a page that the victim (admin with rol_approve_users right) visits:

<img src="https://TARGET/adm_program/modules/registration.php?mode=create_user&user_uuid=ATTACKER_UUID" width="1" height="1">

When the victim loads this page, Admidio silently accepts the attacker registration and assigns default organization roles. No confirmation or token is required.

Step 3: Force-assign registration to an existing account (account takeover)

If the attacker knows the UUID of an existing member (obtainable from profile page URLs when the user list is visible) and has a pending registration:

<img src="https://TARGET/adm_program/modules/registration.php?mode=assign_user&user_uuid=ATTACKER_REG_UUID&user_uuid_assigned=EXISTING_USER_UUID" width="1" height="1">

This merges the pending registration into the existing account, replacing that account login credentials with the attacker credentials.

Impact

Manual Approval Bypass: An attacker with a pending registration can force auto-approval without waiting for an administrator to manually review it. This grants them organization membership, including access to events, documents, mailing lists, and other role-restricted features.
Account Takeover via assign_user CSRF: If the attacker knows any member UUID (visible in profile page URLs), the assign_user mode merges the attacker registration into that member account, replacing the existing member login with the attacker credentials. This is a full account takeover requiring only that the victim admin visit a crafted URL.
Low Attack Complexity: The attacker only needs their own registration email to get their UUID. The CSRF payload is a plain GET request via an image tag -- no JavaScript required.
Delegated Right: The required victim right (rol_approve_users) is a common delegation target in organizations with membership approval workflows.

Recommended Fix

Add SecurityUtils::validateCsrfToken($_POST["adm_csrf_token"]) at the beginning of each approval action, consistent with how delete_user is already protected in the same file.

// File: modules/registration.php

} elseif (in_array($getMode, array('assign_member', 'assign_user'))) {
    // ADD: validate CSRF token
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $registrationService = new RegistrationService($gDb, $getUserUUID);
    $message = $registrationService->assignRegistration($getUserUUIDAssigned, $getMode === 'assign_member');
    ...

} elseif ($getMode === 'create_user') {
    // ADD: validate CSRF token
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $registrationUser->acceptRegistration();
    ...

} elseif ($getMode === 'delete_user') {
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']); // already protected
    $registrationUser->delete();
}

Additionally, convert the approval action URLs from GET-based links to POST-form buttons (with the CSRF token in a hidden field). The existing delete_user button uses callUrlHideElement() which already sends the token in the POST body -- use the same pattern for approval buttons.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐘Packagist	`admidio/admidio`	all versions	5.0.8

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for admidio/admidio. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update admidio/admidio to 5.0.8 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-ph84-r98x-2j22 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-ph84-r98x-2j22 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-ph84-r98x-2j22. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary The create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafte

O3 Security · Impact-Aware SCA

Is GHSA-ph84-r98x-2j22 in your dependencies?

O3 detects GHSA-ph84-r98x-2j22 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works