Announcements
Several security vulnerabilities, some of them critical, have been discovered in Admidio. All of these have been fixed in version 5.0.7. We strongly recommend updating to this version.
A full list of all bugfixes can be found in our issue tracker!
We recommend you to read our announcements for version 5 if you have not done before.
If you are new to Admidio and want to install it on your webpage than the following wikipage could help: Install Admidio
The following wiki pages maybe interesting on an Update:
Update Admidio
The Admidio Team
Several security vulnerabilities, some of them critical, have been discovered in Admidio. All of these have been fixed in version 5.0.7. We strongly recommend updating to this version.
Missing Authorization and CSRF Protection on Document and Folder Deletion
The documents and files module in Admidio does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f
File Upload(RCE) Vulnerability
A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server. For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5
Second-Order SQL Injection via List Configuration
The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the adm_list_columns table via prepared statements (safe storage), but are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization. This is a classic second-order SQL injection: safe write, unsafe read.
An attacker can inject arbitrary SQL through these stored values to read, modify, or delete any data in the database, potentially achieving full database compromise.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m
Missing Authorization on Forum Topic and Post Deletion
The forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID.
This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78
HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
The eCard send handler in Admidio uses the raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-g375-5wmp-xr78
SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint
The SSO metadata fetch endpoint at modules/sso/fetch_metadata.php accepts an arbitrary URL via $_GET['url'], validates it only with PHP's FILTER_VALIDATE_URL, and passes it directly to file_get_contents(). FILTER_VALIDATE_URL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated administrator can use this endpoint to read arbitrary local files via the file:// wrapper (Local File Read), reach internal services via http:// (SSRF), or fetch cloud instance metadata. The full response body is returned verbatim to the caller.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-6j68-gcc3-mq73
Missing CSRF Protection on Role Membership Date Changes
The save_membership action in modules/profile/profile_function.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stop_membership and remove_former_membership against the CSRF token but omits save_membership from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gx
Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions
The delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST["adm_csrf_token"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data.
For more information visit https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2
Three new languages—Tamil, Czech, and Romanian—have been added. Additionally, a security vulnerability related to event participation has been fixed.
A full list of all bugfixes can be found in our issue tracker!
We recommend you to read our announcements for version 5 if you have not done before.
If you are new to Admidio and want to install it on your webpage than the following wikipage could help: Install Admidio
The following wiki pages maybe interesting on an Update:
Update Admidio
The Admidio Team
In version 5.0.5, a bug in the display of unauthorized contacts has been fixed.
A full list of all bugfixes can be found in our issue tracker!
We recommend you to read our announcements for version 5 if you have not done before.
If you are new to Admidio and want to install it on your webpage than the following wikipage could help: Install Admidio
The following wiki pages maybe interesting on an Update:
Update Admidio
The Admidio Team
-----------------------------------------------------------------------------------
In Version 5.0.5 wurde ein Fehler bei der Anzeige von nicht berechtigten Kontakten behoben
Eine vollständige Liste aller Fehlerbehebungen könnt ihr in unserer Änderungshistorie sehen!
Wir empfehlen euch die Ankündigungen für Version 5 zu lesen, falls ihr dies nicht bereits gemacht habt.
Wenn du neu zu Admidio gestoßen bist und Admidio auf deiner Homepage installieren möchtest, folge bitte der Anleitung in unserem Wiki: Admidio installieren
Die folgenden Links helfen dir bei einem Update deiner vorhandenen Installation:
Admidio aktualisieren
Admidio herunterladen
Das Admidio Team
Admidio 5.0.4 comes with some bugfixes around the contacts and profile. As always we recommend everyone update to this version.
A full list of all bugfixes can be found in our issue tracker!
We recommend you to read our announcements for version 5 if you have not done before.
If you are new to Admidio and want to install it on your webpage than the following wikipage could help: Install Admidio
The following wiki pages maybe interesting on an Update:
Update Admidio
The Admidio Team
-----------------------------------------------------------------------------------
Admidio 5.0.4 enthält einige Fehlerbehebungen in Bezug auf Kontakte und Profile. Wie immer empfehlen wir allen, auf diese Version zu aktualisieren.
Eine vollständige Liste aller Fehlerbehebungen könnt ihr in unserer Änderungshistorie sehen!
Wir empfehlen euch die Ankündigungen für Version 5 zu lesen, falls ihr dies nicht bereits gemacht habt.
Wenn du neu zu Admidio gestoßen bist und Admidio auf deiner Homepage installieren möchtest, folge bitte der Anleitung in unserem Wiki: Admidio installieren
Die folgenden Links helfen dir bei einem Update deiner vorhandenen Installation:
Admidio aktualisieren
Admidio herunterladen
Das Admidio Team
Admidio 5.0.3 comes with some bugfixes around the event module. As always we recommend everyone update to this version.
A full list of all bugfixes can be found in our issue tracker!
We recommend you to read our announcements for version 5 if you have not done before.
If you are new to Admidio and want to install it on your webpage than the following wikipage could help: Install Admidio
The following wiki pages maybe interesting on an Update:
Update Admidio
The Admidio Team
-----------------------------------------------------------------------------------
Admidio 5.0.3 enthält einige Fehlerbehebungen rund um das Ereignismodul. Wie immer empfehlen wir allen, auf diese Version zu aktualisieren.
Eine vollständige Liste aller Fehlerbehebungen könnt ihr in unserer Änderungshistorie sehen!
Wir empfehlen euch die Ankündigungen für Version 5 zu lesen, falls ihr dies nicht bereits gemacht habt.
Wenn du neu zu Admidio gestoßen bist und Admidio auf deiner Homepage installieren möchtest, folge bitte der Anleitung in unserem Wiki: Admidio installieren
Die folgenden Links helfen dir bei einem Update deiner vorhandenen Installation:
Admidio aktualisieren
Admidio 5.0.3 herunterladen
Das Admidio Team
We’re releasing Admidio 5.0.2. Within this version there are some important fixes around the contacts. So we recommend everyone update to this version.
A full list of all bugfixes can be found in our issue tracker!
We recommend you to read our announcements for version 5 if you have not done before.
If you are new to Admidio and want to install it on your webpage than the following wikipage could help: Install Admidio
The following wiki pages maybe interesting on an Update:
Update Admidio
The Admidio Team
-----------------------------------------------------------------------------------
Wir veröffentlichen Admidio 5.0.2. Diese Version enthält einige wichtige Korrekturen im Zusammenhang mit den Kontakten. Wir empfehlen daher allen Nutzern, auf diese Version zu aktualisieren.
Eine vollständige Liste aller Fehlerbehebungen könnt ihr in unserer Änderungshistorie sehen!
Wir empfehlen euch die Ankündigungen für Version 5 zu lesen, falls ihr dies nicht bereits gemacht habt.
Wenn du neu zu Admidio gestoßen bist und Admidio auf deiner Homepage installieren möchtest, folge bitte der Anleitung in unserem Wiki: Admidio installieren
Die folgenden Links helfen dir bei einem Update deiner vorhandenen Installation:
Admidio aktualisieren
Admidio 5.0.2 herunterladen
Das Admidio Team
We’re releasing Admidio 5.0.1, the first bugfix update for our 5.0 series. Within this version there are some important fixes for PostgreSQL. So if you use this database please update to 5.0.1 if you are using 5.0.0.
A full list of all bugfixes can be found in our issue tracker!
We recommend you to read our announcements for version 5 if you have not done before.
If you are new to Admidio and want to install it on your webpage than the following wikipage could help: Install Admidio
The following wiki pages maybe interesting on an Update:
Update Admidio
The Admidio Team
-----------------------------------------------------------------------------------
Wir veröffentlichen Admidio 5.0.1, das erste Bugfix-Update für unsere 5.0-Serie. Diese Version enthält einige wichtige Korrekturen für PostgreSQL. Wenn du diese Datenbank verwendest, aktualisiere bitte auf 5.0.1, falls du bereits 5.0.0 nutzt.
Eine vollständige Liste aller Fehlerbehebungen könnt ihr in unserer Änderungshistorie sehen!
Wir empfehlen euch die Ankündigungen für Version 5 zu lesen, falls ihr dies nicht bereits gemacht habt.
Wenn du neu zu Admidio gestoßen bist und Admidio auf deiner Homepage installieren möchtest, folge bitte der Anleitung in unserem Wiki: Admidio installieren
Die folgenden Links helfen dir bei einem Update deiner vorhandenen Installation:
Admidio aktualisieren
Admidio 5.0.1 herunterladen
Das Admidio Team
We are proud to announce version 5 of Admidio. At this point we would like to thank everyone who helped us during the beta phase and reported problems and improvements. We were able to identify and fix some issues.
A full list of all bugfixes can be found in our issue tracker!
We recommend you to read our announcements for version 5 if you have not done before.
If you are new to Admidio and want to install it on your webpage than the following wikipage could help: Install Admidio
The following wiki pages maybe interesting on an Update:
Update Admidio
The Admidio Team
-----------------------------------------------------------------------------------
Wir sind stolz, die Version 5 von Admidio ankündigen zu können. An dieser Stelle möchten wir uns bei allen bedanken, die uns in der Beta-Phase geholfen und Probleme und Verbesserungen gemeldet haben. Wir konnten einige Probleme identifzieren und beheben.
Eine vollständige Liste aller Fehlerbehebungen könnt ihr in unserer Änderungshistorie sehen!
Wir empfehlen euch die Ankündigungen für Version 5 zu lesen, falls ihr dies nicht bereits gemacht habt.
Wenn du neu zu Admidio gestoßen bist und Admidio auf deiner Homepage installieren möchtest, folge bitte der Anleitung in unserem Wiki: Admidio installieren
Die folgenden Links helfen dir bei einem Update deiner vorhandenen Installation:
Admidio aktualisieren
Admidio 5.0 herunterladen
Das Admidio Team
Our third beta of Admidio 5.0 is now available for testing. Within our wiki we have a page which describes the main new features of Admidio 5.
You can support us in different ways. The easiest way is our playground with an already installed Admidio version. There you can log in with the standard accounts and try out any functions. Alternatively you can download the current beta and install it on your local webserver. Try an update with your data or set up a completely new organization.
Feedback to the new version is welcome in our beta test forum.
We are curious about your feedback. If you have small suggestions for improvements to new or existing features, just let us know in the beta forum.
Many greetings
Your Admidio Team
-------------------------------------------------------------------------------------------------------------
Unsere dritte Beta von Admidio 5.0 steht jetzt zum Test zur Verfügung. In unserem Wiki gibt es eine Seite, auf der die wichtigsten neuen Funktionen von Admidio 5 beschrieben werden.
Ihr könnt auf unterschiedliche Art und Weise uns beim Test unterstützen. Die einfachste Art ist unsere Spielwiese mit einer bereits installierten Admidio Version. Dort könnt ihr euch über die Standard-Accounts anmelden und beliebige Funktionen ausprobieren. Alternativ könnt ihr auch die aktuelle Beta herunterladen und auf einem lokalen Webserver bei euch installieren. Probiert ein Update mit euren Daten aus oder richtet eine komplett neue Organisation ein.
Feedback zu der neuen Version ist in unserem Beta-Test-Forum willkommen.
Wir sind gespannt auf euer Feedback. Falls ihr zu neuen oder bestehenden Funktionen kleinere Verbesserungsvorschläge habt, so gebt uns im Beta-Forum einfach Bescheid.
Viele Grüße
Euer Admidio-Team
