Announcements
Several security vulnerabilities, some of them critical, have been discovered in Admidio. All of these have been fixed in version 5.0.7. We strongly recommend updating to this version.
Missing Authorization and CSRF Protection on Document and Folder Deletion
The documents and files module in Admidio does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f
File Upload(RCE) Vulnerability
A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server. For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5
Second-Order SQL Injection via List Configuration
The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the adm_list_columns table via prepared statements (safe storage), but are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization. This is a classic second-order SQL injection: safe write, unsafe read.
An attacker can inject arbitrary SQL through these stored values to read, modify, or delete any data in the database, potentially achieving full database compromise.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m
Missing Authorization on Forum Topic and Post Deletion
The forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID.
This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78
HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
The eCard send handler in Admidio uses the raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78
SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint
The SSO metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73
Missing CSRF Protection on Role Membership Date Changes
The save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gx
Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions
The delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST["adm_csrf_token"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2
