Vulnerable CKEditor used on version 4.2.9 in admidio/admidio


Reported on

Jun 28th 2023


When attaching image on mail feature, the upload using ckeditor vulnerable version that lead to RCE.

Proof of Concept

  1. Go to messages,
  2. Write email
  3. add image
  4. Upload the php file.
  5. access the uploaded php file in /adm_my_files/mail/images/

// PoC.js

Content-Disposition: form-data; name="upload"; filename="aaa.test.php" Content-Type: image/jpeg

<?php phpinfo(); ?>


Remote code execution

We are processing your report and will contact the admidio team within 24 hours. 3 months ago
We have contacted a member of the admidio team and are waiting to hear back 3 months ago
3 months ago


is there any update related this guys?

Markus Faßbender modified the Severity from High (7.2) to Medium (6.7) 2 months ago
2 months ago


Sorry I was just now able to look for your report. Thanks for your research!

Ok, you are able to create a file with php code but in a default configuration you have not access to the folder adm_my_files directly, so you are not able to execute that file. So I changed the availability to low.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Markus Faßbender validated this vulnerability 2 months ago
amethama has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Markus Faßbender marked this as fixed in 4.2.10 with commit d66585 2 months ago
Markus Faßbender has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 16th 2023
2 months ago


hello, may I know if I will get CVE for this ?

thank you.

2 months ago


I habe already assigned a CVE. Once this report is published you will get it.

Markus Faßbender published this vulnerability 2 months ago
to join this conversation