Vulnerable CKEditor used on version 4.2.9 in admidio/admidio

Valid

Reported on

Jun 28th 2023

Description

When attaching image on mail feature, the upload using ckeditor vulnerable version that lead to RCE.

Proof of Concept

Go to messages,
Write email
add image
Upload the php file.
access the uploaded php file in /adm_my_files/mail/images/

// PoC.js

Content-Disposition: form-data; name="upload"; filename="aaa.test.php" Content-Type: image/jpeg

<?php phpinfo(); ?>

Impact

Remote code execution

We are processing your report and will contact the admidio team within 24 hours. 3 months ago

We have contacted a member of the admidio team and are waiting to hear back 3 months ago

amethama

commented 3 months ago

Researcher

is there any update related this guys?

Markus Faßbender modified the Severity from High (7.2) to Medium (6.7) 2 months ago

Markus Faßbender Markus

commented 2 months ago

Maintainer

Sorry I was just now able to look for your report. Thanks for your research!

Ok, you are able to create a file with php code but in a default configuration you have not access to the folder adm_my_files directly, so you are not able to execute that file. So I changed the availability to low.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Markus Faßbender validated this vulnerability 2 months ago

amethama has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Markus Faßbender marked this as fixed in 4.2.10 with commit d66585 2 months ago

Markus Faßbender has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 16th 2023

amethama

commented 2 months ago

Researcher

hello, may I know if I will get CVE for this ?

thank you.

Markus Faßbender Markus

commented 2 months ago

Maintainer

I habe already assigned a CVE. Once this report is published you will get it.

Markus Faßbender published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the admidio team within 24 hours. 3 months ago

We have contacted a member of the admidio team and are waiting to hear back 3 months ago

amethama

commented 3 months ago

Researcher

is there any update related this guys?

Markus Faßbender modified the Severity from High (7.2) to Medium (6.7) 2 months ago

Markus Faßbender Markus

commented 2 months ago

Maintainer

Sorry I was just now able to look for your report. Thanks for your research!

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Markus Faßbender validated this vulnerability 2 months ago

amethama has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Markus Faßbender marked this as fixed in 4.2.10 with commit d66585 2 months ago

Markus Faßbender has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 16th 2023

amethama

commented 2 months ago

Researcher

hello, may I know if I will get CVE for this ?

thank you.

Markus Faßbender Markus

commented 2 months ago

Maintainer

I habe already assigned a CVE. Once this report is published you will get it.

Markus Faßbender published this vulnerability 2 months ago

to join this conversation