Session Fixation in admidio/admidio


Reported on

Oct 17th 2021


admin create a member(member role) user named B

then B log in to the Admidio

after that user B already logged into the Admidio, Admin decide to delete all Roles of user B

but user B can do anything that he/she can do before.

We have contacted a member of the admidio team and are waiting to hear back a year ago
Markus Faßbender validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus Faßbender marked this as fixed with commit 6a268e a year ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


This is fixed with version 4.0.11 . Thanks for the research.

to join this conversation