Overview
Admidio has released an update to address a vulnerability in their application. Users of affected versions are advised to update to the latest version.
Affected Products
CVE-2024-38529
- Admidio version: ~ 4.3.10 (excluded)
CVE-2024-37906
- Admidio version: ~ 4.3.9 (excluded)
Resolved Vulnerabilities
Remote code execution vulnerability in the Messages module in the Admidio application (CVE-2024-38529)
SQL injection vulnerability in the `/adm_program/modules/ecards/ecard_send.php` source file in the Admidio application that could compromise the application’s database (CVE-2024-37906)
Vulnerability Patches
The following Vulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-38529
- Admidio version: 4.3.10
CVE-2024-37906
- Admidio version: 4.3.9
Referenced Sites
[1] CVE-2024-38529 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-38529
[2] RCE via Arbitrary File Upload in Message Attachment
https://github.com/Admidio/admidio/security/advisories/GHSA-g872-jwwr-vggm
[3] CVE-2024-37906 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-37906
[4] Blind SQL Injection in ecard_send.php
https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3
Article Link: Admidio Application Security Update Advisory (CVE-2024-38529) – ASEC