Admidio Application Security Update Advisory (CVE-2024-38529)

Overview
 

Admidio has released an update to address a vulnerability in their application. Users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-38529

  • Admidio version: ~ 4.3.10 (excluded)

 

CVE-2024-37906

  • Admidio version: ~ 4.3.9 (excluded)

     

 

Resolved Vulnerabilities

Remote code execution vulnerability in the Messages module in the Admidio application (CVE-2024-38529)
SQL injection vulnerability in the `/adm_program/modules/ecards/ecard_send.php` source file in the Admidio application that could compromise the application’s database (CVE-2024-37906)

 

Vulnerability Patches

The following Vulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-38529

  • Admidio version: 4.3.10

 

CVE-2024-37906

  • Admidio version: 4.3.9

     

Referenced Sites

[1] CVE-2024-38529 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-38529

[2] RCE via Arbitrary File Upload in Message Attachment

https://github.com/Admidio/admidio/security/advisories/GHSA-g872-jwwr-vggm

[3] CVE-2024-37906 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-37906

[4] Blind SQL Injection in ecard_send.php

https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3

Article Link: Admidio Application Security Update Advisory (CVE-2024-38529) – ASEC