Improper Access Control in admidio/admidio
Description
CVE-2023-3303 is an improper access control vulnerability in Admidio before 4.2.9, allowing unauthorized access to photo albums.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-3303 is an improper access control vulnerability in Admidio before 4.2.9, allowing unauthorized access to photo albums.
Root
Cause CVE-2023-3303 is an improper access control vulnerability in the photo album module of Admidio, an open-source user management system. The bug exists in the photo_presenter.php script where the photo_uuid parameter was not properly validated before use, allowing an attacker to bypass album visibility checks. The fix introduced a requirement that the photo_uuid parameter must have a value and added a call to $photoAlbum->isVisible() to check the user's permissions before displaying album content [2][3].
Exploitation
The vulnerability can be exploited by an unauthenticated attacker who sends a crafted HTTP request to the vulnerable endpoint without a valid photo_uuid parameter or with a manipulated one. No special privileges are required beyond network access to the Admidio instance. The attack surface is the public-facing photo presenter page, which prior to the patch did not enforce access controls on the album [3][4].
Impact
Successful exploitation allows an attacker to view photo albums that should not be accessible to them, potentially including private or restricted albums. This could lead to unauthorized disclosure of sensitive images and metadata associated with the organization's members or events [1][2].
Mitigation
The vulnerability was fixed in commit 3d8bafaa4e9b7a314ffdf548622a8c7b38faee8a and users are strongly advised to update to Admidio version 4.2.9 or later [2][3]. No workarounds have been provided; applying the update is the recommended remediation.
- GitHub - Admidio/admidio: Admidio is a free open source user management system for websites of organizations and groups. The system has a flexible role model so that it’s possible to reflect the structure and permissions of your organization.
- NVD - CVE-2023-3303
- ecard could sent if album is logged #1432 · Admidio/admidio@3d8bafa
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | < 4.2.9 | 4.2.9 |
Affected products
2Patches
13d8bafaa4e9becard could sent if album is logged #1432
4 files changed · +26 −23
adm_program/modules/ecards/ecard_send.php+14 −7 modified@@ -11,6 +11,12 @@ require_once(__DIR__ . '/../../system/common.php'); require_once(__DIR__ . '/ecard_function.php'); +// check if the module is enabled and disallow access if it's disabled +if (!$gSettingsManager->getBool('enable_ecard_module')) { + $gMessage->show($gL10n->get('SYS_MODULE_DISABLED')); + // => EXIT +} + // Initialize and check the parameters $postTemplateName = admFuncVariableIsValid($_POST, 'ecard_template', 'file', array('requireValue' => true)); $postPhotoUuid = admFuncVariableIsValid($_POST, 'photo_uuid', 'string', array('requireValue' => true)); @@ -33,14 +39,15 @@ // => EXIT } -// check if the module is enabled and disallow access if it's disabled -if (!$gSettingsManager->getBool('enable_ecard_module')) { - $gMessage->show($gL10n->get('SYS_MODULE_DISABLED')); +// check if user has right to view the album +if (!$photoAlbum->isVisible()) { + $gMessage->show($gL10n->get('SYS_INVALID_PAGE_VIEW')); // => EXIT } -// pruefen ob User eingeloggt ist -if (!$gValidLogin) { - $gMessage->show($gL10n->get('SYS_INVALID_PAGE_VIEW')); + +// the logged-in user has no valid mail address stored in his profile, which can be used as sender +if ($gValidLogin && $gCurrentUser->getValue('EMAIL') === '') { + $gMessage->show($gL10n->get('SYS_CURRENT_USER_NO_EMAIL', array('<a href="'.ADMIDIO_URL.FOLDER_MODULES.'/profile/profile.php">', '</a>'))); // => EXIT } @@ -58,7 +65,7 @@ // => EXIT } -// Template wird geholt +// read template from file system $ecardDataToParse = $funcClass->getEcardTemplate($postTemplateName); // if template was not found then show error
adm_program/modules/ecards/ecards.php+10 −14 modified@@ -19,7 +19,7 @@ require(__DIR__ . '/../../system/login_valid.php'); // Initialize and check the parameters -$getPhotoUuid = admFuncVariableIsValid($_GET, 'photo_uuid', 'string'); +$getPhotoUuid = admFuncVariableIsValid($_GET, 'photo_uuid', 'string', array('requireValue' => true)); $getUserUuid = admFuncVariableIsValid($_GET, 'user_uuid', 'string'); $getPhotoNr = admFuncVariableIsValid($_GET, 'photo_nr', 'int', array('requireValue' => true)); $showPage = admFuncVariableIsValid($_GET, 'show_page', 'int', array('defaultValue' => 1)); @@ -35,47 +35,43 @@ // => EXIT } -// URL auf Navigationstack ablegen +// Drop URL on navigation stack $gNavigation->addUrl(CURRENT_URL, $headline); -// Fotoveranstaltungs-Objekt erzeugen oder aus Session lesen +// Create photo album object or read from session if (isset($_SESSION['photo_album']) && (int) $_SESSION['photo_album']->getValue('pho_uuid') === $getPhotoUuid) { $photoAlbum =& $_SESSION['photo_album']; } else { - // einlesen des Albums falls noch nicht in Session gespeichert $photoAlbum = new TablePhotos($gDb); - if ($getPhotoUuid !== '') { - $photoAlbum->readDataByUuid($getPhotoUuid); - } + $photoAlbum->readDataByUuid($getPhotoUuid); $_SESSION['photo_album'] = $photoAlbum; } -// pruefen, ob Album zur aktuellen Organisation gehoert -if ($getPhotoUuid !== '' && (int) $photoAlbum->getValue('pho_org_id') !== $gCurrentOrgId) { +// check if user has right to view the album +if (!$photoAlbum->isVisible()) { $gMessage->show($gL10n->get('SYS_INVALID_PAGE_VIEW')); // => EXIT } if ($gValidLogin && $gCurrentUser->getValue('EMAIL') === '') { - // der eingeloggte Benutzer hat in seinem Profil keine gueltige Mailadresse hinterlegt, - // die als Absender genutzt werden kann... + // the logged in user has no valid mail address stored in his profile, which can be used as sender $gMessage->show($gL10n->get('SYS_CURRENT_USER_NO_EMAIL', array('<a href="'.ADMIDIO_URL.FOLDER_MODULES.'/profile/profile.php">', '</a>'))); // => EXIT } if ($getUserUuid !== '') { - // usr_id wurde uebergeben, dann Kontaktdaten des Users aus der DB fischen + // UUID was set than read contact data of this user $user = new User($gDb, $gProfileFields); $user->readDataByUuid($getUserUuid); - // darf auf die User-Id zugegriffen werden + // check if the current user has the right communicate with that member if ((!$gCurrentUser->editUsers() && !isMember((int) $user->getValue('usr_id'))) || strlen($user->getValue('usr_id')) === 0) { $gMessage->show($gL10n->get('SYS_USER_ID_NOT_FOUND')); // => EXIT } - // besitzt der User eine gueltige E-Mail-Adresse + // check if the member has a valid email address if (!StringUtils::strValidCharacters($user->getValue('EMAIL'), 'email')) { $gMessage->show($gL10n->get('SYS_USER_NO_EMAIL', array($user->getValue('FIRST_NAME').' '.$user->getValue('LAST_NAME')))); // => EXIT
adm_program/modules/photos/photos.php+1 −1 modified@@ -59,7 +59,7 @@ $headline = $photoAlbum->getValue('pho_name'); - // URL auf Navigationstack ablegen + // Drop URL on navigation stack $gNavigation->addUrl(CURRENT_URL, $headline); } else { $headline = $getHeadline;
adm_program/system/classes/TablePhotos.php+1 −1 modified@@ -232,7 +232,7 @@ public function isVisible() return false; } // locked photo album could only be viewed by module administrators - elseif ((int) $this->getValue('pho_locked') === 1 && !$GLOBALS['gCurrentUser']->editPhotoRight()) { + elseif ($this->getValue('pho_locked') && !$GLOBALS['gCurrentUser']->editPhotoRight()) { return false; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.