3.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-47836

CVE-2024-47836: Admidio Vulnerable to HTML Injection In The Messages Section

Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PoC

Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
Click on Send Private Message
In the Message field, enter the following payload Testing<br><h1>HTML</h1><br><h2>Injection</h2>

Send the message
Open the message again

Impact

Data Theft: Stealing sensitive information like cookies, session tokens, and user credentials.
Session Hijacking: Gaining unauthorized access to user accounts.
Phishing: Tricking users into revealing sensitive information.
Website Defacement: Altering the appearance or content of the website.
Malware Distribution: Spreading malware to users' devices.
Denial of Service (DoS): Overloading the server with malicious requests.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-47836

CVE-2024-47836:

3.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
admidio/admidio	composer	< 4.3.12	4.3.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input sanitization in the message handling code. The commit diff shows the fix changed validation from 'html' to 'string' type for private messages in admFuncVariableIsValid. The 'html' type validation likely permitted raw HTML storage without adequate escaping, enabling XSS (CWE-79). The PoC demonstrates HTML injection via <h1> tags being rendered, confirming insufficient output encoding. The direct correlation between the vulnerable pattern in the diff and the described HTML injection impact supports high confidence in this being the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

3.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-47836: Admidio Vulnerable to HTML Injection In The Messages Section

Summary

PoC

Impact

CVE-2024-47836:

3.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Basic Information

Basic Information

Technical Details

3.5

3.5

CVE-2024-47836: Admidio Vulnerable to HTML Injection In The Messages Section

Summary

PoC

Impact

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

3.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-47836: Admidio Vulnerable to HTML Injection In The Messages Section

Summary

PoC

Impact

CVE-2024-47836:

3.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

3.5

3.5

CVE-2024-47836: Admidio Vulnerable to HTML Injection In The Messages Section

Summary

PoC

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI