VYPR
Unrated severityNVD Advisory· Published May 20, 2021· Updated Aug 3, 2024

Various

CVE-2021-32630

Description

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Admidio/Admidiollm-fuzzy2 versions
    <4.0.4+ 1 more
    • (no CPE)range: <4.0.4
    • (no CPE)range: < 4.0.4

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.