VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

Admidio 3.3.5 Cross-Site Request Forgery via roles_function.php

CVE-2018-25370

Description

Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles, rol_approve_users, and rol_edit_user set to 1 to escalate privileges without authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Admidio 3.3.5 contains a CSRF vulnerability allowing low-privilege users to escalate privileges via crafted forms targeting roles_function.php.

Vulnerability

Admidio 3.3.5 includes a cross-site request forgery (CSRF) vulnerability in /adm_program/modules/roles/roles_function.php due to improper origin checking. An attacker can craft a malicious HTML form that, when submitted by an authenticated administrator, modifies role permissions. The form includes parameters such as rol_assign_roles, rol_approve_users, and rol_edit_user set to 1, enabling privilege escalation [2][3][4].

Exploitation

An attacker crafts a malicious HTML form (see [3] for PoC) and hosts it on a site controlled by them, or sends it via email. The form is designed to be submitted automatically via JavaScript or trick a logged-in administrator into clicking a submit button. The form targets roles_function.php with parameters that assign high privileges like role assignment and user approval. No authentication bypass is needed; the attack relies on the victim's active session [3][4].

Impact

Successful exploitation allows a low-privilege user to escalate their permissions to administrator level. The attacker can then assign roles, approve users, and edit user data, compromising the entire membership management system [2][3].

Mitigation

As of the available references, no fixed version has been released for this vulnerability. Users are advised to implement application-level CSRF protections such as anti-CSRF tokens or verify the origin header in all sensitive actions. Organizations should consider restricting access to roles_function.php or using a web application firewall to detect and block malicious requests [3][4].

References
  1. Admidio – Free online membership management software
  2. OffSec’s Exploit Database Archive
  3. Admidio 3.3.5 Cross-Site Request Forgery via roles_function.php

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Admidio/Admidioinferred2 versions
    <=3.3.5+ 1 more
    • (no CPE)range: <=3.3.5
    • (no CPE)range: =3.3.5

Patches

1
9b8dd5d45c9a

set version to 3.3.6

https://github.com/admidio/admidioMarkus FaßbenderSep 25, 2018Fixed in 3.3.6via release-tag
commit
1 file changed · +1 1
  • adm_program/system/constants.php+1 1 modified
    @@ -24,7 +24,7 @@
 
 define('ADMIDIO_VERSION_MAIN', 3);
 define('ADMIDIO_VERSION_MINOR', 3);
-define('ADMIDIO_VERSION_PATCH', 5);
+define('ADMIDIO_VERSION_PATCH', 6);
 define('ADMIDIO_VERSION_BETA', 0);
 define('ADMIDIO_VERSION', ADMIDIO_VERSION_MAIN . '.' . ADMIDIO_VERSION_MINOR . '.' . ADMIDIO_VERSION_PATCH);

Vulnerability mechanics

Root cause

"Improper origin checking allows cross-site request forgery, enabling low-privilege users to escalate their role permissions."

Attack vector

An attacker crafts a malicious HTML form that auto-submits POST data to `roles_function.php?rol_id=2&mode=2` [ref_id=1]. The form includes parameters such as `rol_assign_roles`, `rol_approve_users`, and `rol_edit_user` all set to `1`, which grant elevated permissions to the attacker's target role [ref_id=1]. Because the application performs improper origin checking, a low-privilege user who visits the attacker's page will unknowingly submit the request using their active session, escalating their own privileges without any additional authentication [ref_id=1].

Affected code

The vulnerable endpoint is `adm_program/modules/roles/roles_function.php` with parameters `rol_id=2&mode=2` [ref_id=1]. The patch only bumps the version number in `adm_program/system/constants.php` from 3.3.5 to 3.3.6 [patch_id=2473692]; no code-level fix is shown.

What the fix does

The only published patch increments the version constant from 3.3.5 to 3.3.6 in `constants.php` [patch_id=2473692]. No code-level remediation (such as adding CSRF tokens or origin validation) is present in the supplied diff. The advisory does not specify a fix; the version bump may indicate a release that includes an unreviewed security patch elsewhere in the repository.

Preconditions

  • authThe victim must be logged into Admidio 3.3.5 with a low-privilege session.
  • inputThe attacker must trick the victim into visiting a page containing the malicious HTML form.
  • networkThe target Admidio instance must have the roles_function.php endpoint accessible.

Reproduction

1. Host the HTML form from the exploit (ref_id=1) on an attacker-controlled page, setting the form action to `http://Target/adm_program/modules/roles/roles_function.php?rol_id=2&mode=2`. 2. Ensure a low-privilege Admidio 3.3.5 user is logged in. 3. Lure the victim to the attacker's page; the form auto-submits via JavaScript or user click. 4. The victim's role permissions are silently escalated (rol_assign_roles, rol_approve_users, rol_edit_user, etc. set to 1).

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.