VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 23, 2023· Updated Nov 7, 2024

Improper Access Control in admidio/admidio

CVE-2023-3304

Description

Admidio prior to 4.2.9 had improper access control allowing a user to delete another user's private message by bypassing sender ID validation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Admidio prior to 4.2.9 had improper access control allowing a user to delete another user's private message by bypassing sender ID validation.

Vulnerability

Overview

CVE-2023-3304 is an improper access control vulnerability in Admidio, a free open-source user management system, affecting versions prior to 4.2.9. The flaw exists in the message deletion functionality within adm_program/modules/messages. When a user deletes a message, the code only retrieves the message by UUID and proceeds to delete it without first verifying that the requesting user is the original sender. This missing authorization check allows any authenticated user to delete messages belonging to other users [3].

Attack

Vector and Exploitation

An authenticated user can exploit this vulnerability by crafting a request to delete a private message that they did not send. The system does not compare the logged-in user's ID ($gCurrentUserId) against the message's sender ID (msg_usr_id_sender) before performing the deletion. The commit that fixes the issue adds a strict equality check, ensuring that only the sender of a message can delete it. The endpoint returns a simple "done" or "delete not OK" response, and the fix exits early with an error if the user is not the sender [3].

Impact

A successful exploit allows an attacker to delete private messages of any other user in the system. This could disrupt user communications, destroy evidence, or lead to confusion and loss of important information. The vulnerability does not require administrative privileges, only authentication as a regular user. The impact is limited to message deletion; reading another user's messages is not directly enabled by this bug [2].

Mitigation

The vulnerability was fixed in Admidio version 4.2.9. Users should upgrade to this version or later. The patch was contributed via a Huntr bounty report [4] and is visible in the referenced commit [3]. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. NVD - CVE-2023-3304
  2. Message of another user could be deleted #1441 · Admidio/admidio@3b248b7
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
admidio/admidioPackagist
< 4.2.94.2.9

Affected products

2

Patches

1
3b248b7d5e0e

Message of another user could be deleted #1441

https://github.com/admidio/admidioMarkus FaßbenderJun 15, 2023via ghsa
commit
1 file changed · +10 7
  • adm_program/modules/messages/messages.php+10 7 modified
    @@ -38,14 +38,17 @@
     $delMessage = new TableMessage($gDb);
     $delMessage->readDataByUuid($getMsgUuid);
 
-    // Function to delete message
-    $returnCode = $delMessage->delete();
-
-    if ($returnCode) {
-        echo 'done';
-    } else {
-        echo 'delete not OK';
+    // only delete messages of the current user is allowed
+    if ($delMessage->getValue('msg_usr_id_sender') === $gCurrentUserId) {
+        $returnCode = $delMessage->delete();
+
+        if ($returnCode) {
+            echo 'done';
+            exit();
+        }
     }
+
+    echo 'delete not OK';
     exit();
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.