Miggo Logo
Miggo Vulnerability Database
CVE-2023-3692

CVE-2023-3692: Admidio vulnerable to Unrestricted Upload of File with Dangerous Type

6.7

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-3692
GHSA ID
GHSA-q347-jrx8-5pw9
EPSS Score
0.16375%
CWE
CWE-434
Published
7/16/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
admidio/admidiocomposer< 4.2.104.2.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability existed in the CKEditor file upload handler logic. Prior to the patch, the code:

  1. Moved uploaded files via move_uploaded_file() without first validating the file extension
  2. Only performed a weak validation via getimagesize() after the file was already stored

This allowed two attack vectors:

  • Uploading non-image files with dangerous extensions
  • Uploading polyglot files that pass getimagesize() checks but contain executable code

The patch added a critical FileSystemUtils::allowedFileExtension() check early in the process to validate extensions before any file operations. The vulnerable code path in ckeditor_upload_handler.php's main execution flow (not wrapped in a named function) was directly responsible for the insecure upload mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unr*stri*t** Uplo** o* *il* wit* **n**rous Typ* in *it*u* r*pository **mi*io/**mi*io prior to *.*.**.

Reasoning

T** vuln*r**ility *xist** in t** *K**itor *il* uplo** **n*l*r lo*i*. Prior to t** p*t**, t** *o**: *. Mov** uplo**** *il*s vi* mov*_uplo****_*il*() wit*out *irst v*li**tin* t** *il* *xt*nsion *. Only p*r*orm** * w**k v*li**tion vi* **tim***siz*() **t