Broken Access Control on Private Message Function in admidio/admidio


Reported on

Jun 29th 2023


There is 2 issues I found in one function.

A = admin B = user1 C = attacker.

Scenario 1:

A send private message to B with subject "testing". B or C can change the subject, this will disturb Integrity of the messages as long as they know the UUID messages.

Scenario 2: A send private message to B. (e.g msg_uuid=1234) C can read all the convo between A and B, as long as C know the UUID messages.

Proof of Concept

Scenario 1: when B wanna reply the message from A, intercept the request and B modify the value of parameter msg_subject to anything, then the subject that A make gonna changed.

Scenario 2: C wanna try to reply any Private message from A. (e.g msg_uuid=1111) he then intercept the request, and replace the value of parameter msg_uuid 1111 to 1234 (the msg_uuid of A and B convo). C will able to read all the convo between A and B. when C choose send the request to A, then B will be lost access to his convo between him and A. also the message that B wrote on that messages will be change to A name .


lost of CIA for private messages modules.

We are processing your report and will contact the admidio team within 24 hours. 3 months ago
We have contacted a member of the admidio team and are waiting to hear back 3 months ago
admidio/admidio maintainer validated this vulnerability 2 months ago
amethama has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Markus Faßbender marked this as fixed in 4.2.10 with commit b0e1be 2 months ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 16th 2023
Markus Faßbender published this vulnerability 2 months ago
to join this conversation