Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality

Vulnerability

Overview

CVE-2025-62617 is an authenticated SQL injection vulnerability in Admidio, an open-source user management system, affecting versions prior to 4.3.17. The flaw resides in the adm_program/modules/groups-roles/members_assignment_data.php script, which handles AJAX requests for fetching user lists during role assignment. The filter_rol_uuid GET parameter is retrieved without proper sanitization for SQL context and is directly concatenated into a raw SQL query, allowing an attacker to inject arbitrary SQL commands [1][2].

Exploitation

Details

To exploit this vulnerability, an attacker must be an authenticated user with permissions to assign members to a role, such as an administrator. The vulnerable parameter is passed via a GET request, and the injected SQL is executed within a subselect query that retrieves member counts. No special network position is required beyond access to the Admidio web interface [2]. The commit that fixes the issue shows that the parameter is now sanitized using StringUtils::strValidCharacters with the 'noSpecialChar' option, which strips special characters that could be used for injection [4].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the application's database. This can lead to reading, modifying, or deleting all data stored in the database, potentially resulting in a full compromise of the application and its data [1][2].

Mitigation

The vulnerability has been patched in Admidio version 4.3.17. Users are strongly advised to upgrade to this version or later to remediate the issue. No workarounds have been publicly documented, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1][2].