VYPR
← All advisories
Medium severity4.4GHSA Advisory· Published May 29, 2026· Updated May 29, 2026

Admidio writes session IDs and auto-login cookie values to application logs

CVE-2026-47234

Description

Summary

When debug logging is enabled, Session::setCookie() logs full cookie values and Session::start() logs the current session ID. In a real Admidio deployment this includes both the active session cookie and the persistent auto-login cookie. Anyone with access to the log sink can recover live bearer-style credentials from the logs.

Vulnerable

Code Links

  • https://github.com/Admidio/admidio/blob/v5.0.9/src/Session/Entity/Session.php#L533-L540
  • https://github.com/Admidio/admidio/blob/v5.0.9/src/Session/Entity/Session.php#L615-L617

Vulnerable

Code

// src/Session/Entity/Session.php
$gLogger->info('Set Cookie!', array(
'name' => $name,
'value' => $value,
'expire' => $expire,
'path' => $path,
'domain' => $domain,
'secure' => $secure,
'httpOnly' => $httpOnly,
'sameSite' => 'lax'
));
...
session_start();
$gLogger->info('Session Started!', array(
'name' => $sessionName,
'limit' => $limit,
'path' => $path,
'domain' => $domain,
'secure' => $secure,
'httpOnly' => $httpOnly,
'sameSite' => 'lax',
'sessionId' => session_id()
));

What

Does The Code Mean

Every time Admidio sets a cookie, it writes the raw cookie value to the application log. When a session starts, it writes the active session identifier too.

Why

The Code Is Vulnerable

Session IDs and persistent auto-login values are credentials. Logging them turns the log file into a credential store and expands the trust boundary to anyone who can read logs, backups, or external log aggregation outputs.

Verification

Environment

  • Application: Admidio v5.0.9
  • Runtime: Dockerized Admidio + MariaDB on http://localhost:18080
  • Validation mode: real deployed application, not isolated unit tests

Steps

To Reproduce

  1. Enable Admidio debug logging.
  2. Log in with auto_login=1 enabled.
  3. Inspect the generated application log.
  4. Observe that the log contains both the ADMIDIO_*_AUTO_LOGIN_ID value and the ADMIDIO_*_SESSION_ID value in cleartext.

PoC

Script

from helpers import login, new_session, save_json


def main():
session = new_session()
result = login(session, "admin", "AdminPass123!", auto_login=True)
save_json("session_logging_login.json", result)


if __name__ == "__main__":
main()

PoC

Output

{
  "cookies": {
"ADMIDIO_admidio_adm_AUTO_LOGIN_ID": "2%3AnO2BhCdRgFUMKT46e2EzS79Inf4oWiLWzLnX9Ko5",
"ADMIDIO_admidio_adm_SESSION_ID": "iga3ujr67cti6s7btnuhecte67"
  },
  "csrf": "y41CaDdEO7RKug5FIRWO2Dx8w7KVQZ",
  "json": {
"status": "success",
"url": "http://localhost:18080/modules/overview.php"
  },
  "status_code": 200
}

5191:[2026-04-30 20:57:59.555213] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"8224iqk8aqcsb0062d0c3f1ish"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
5291:[2026-04-30 20:57:59.575756] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"8224iqk8aqcsb0062d0c3f1ish"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
5480:[2026-04-30 20:57:59.623872] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"733jf4j6po8m6b1g7glgaghfsg"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
5624:[2026-04-30 20:57:59.663760] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"733jf4j6po8m6b1g7glgaghfsg"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
5655:[2026-04-30 20:57:59.788831] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"ovnk3hhpj5829dj63pjk4i7k8b","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"}
5680:[2026-04-30 20:57:59.795443] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"ovnk3hhpj5829dj63pjk4i7k8b"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
5815:[2026-04-30 20:57:59.838697] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"ovnk3hhpj5829dj63pjk4i7k8b"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
5839:[2026-04-30 20:58:09.374182] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"dvrl2qf92skdeimh77ruglr4ga"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
5983:[2026-04-30 20:58:09.423217] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"dvrl2qf92skdeimh77ruglr4ga"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6014:[2026-04-30 20:58:09.550875] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"2th9qe9etfiis6nujdqpkfd9hv","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"}
6039:[2026-04-30 20:58:09.557823] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"2th9qe9etfiis6nujdqpkfd9hv"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6273:[2026-04-30 20:58:19.171185] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"k50i1toh4491o6v0htliv2kafs"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6417:[2026-04-30 20:58:19.212351] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"k50i1toh4491o6v0htliv2kafs"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6448:[2026-04-30 20:58:19.337758] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"4emiuth6i2fc1ho17nahf6n52g","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"}
6473:[2026-04-30 20:58:19.346804] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"4emiuth6i2fc1ho17nahf6n52g"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6605:[2026-04-30 20:58:19.390909] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"4emiuth6i2fc1ho17nahf6n52g"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6635:[2026-04-30 20:58:19.409216] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"4emiuth6i2fc1ho17nahf6n52g"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6676:[2026-04-30 20:58:31.002317] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"aegildsksa0i5184igdk12pdg3"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6820:[2026-04-30 20:58:31.045064] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"aegildsksa0i5184igdk12pdg3"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
6853:[2026-04-30 20:58:31.174884] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"9vsc7c5qv9cr4cavugitg6i2l3","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"}
6878:[2026-04-30 20:58:31.184031] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"9vsc7c5qv9cr4cavugitg6i2l3"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
7010:[2026-04-30 20:58:40.393679] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"nr7mssfl6eupo9d2pboea7hmb2"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
7154:[2026-04-30 20:58:40.438503] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"nr7mssfl6eupo9d2pboea7hmb2"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
7185:[2026-04-30 20:58:40.564244] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"sts5aqfsvqghtl6bfq79a3ap2t","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"}
7210:[2026-04-30 20:58:40.571305] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"sts5aqfsvqghtl6bfq79a3ap2t"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
7342:[2026-04-30 20:58:40.611506] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"sts5aqfsvqghtl6bfq79a3ap2t"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
7414:[2026-04-30 21:01:44.898211] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"dcgm8ebt3hkhmvvk9n860r6i5n"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
7558:[2026-04-30 21:01:44.940724] Admidio.INFO: Session Started! {"name":"ADMIDIO_admidio_adm_SESSION_ID","limit":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax","sessionId":"dcgm8ebt3hkhmvvk9n860r6i5n"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":617,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"start"}
7591:[2026-04-30 21:01:45.066694] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_AUTO_LOGIN_ID","value":"2:nO2BhCdRgFUMKT46e2EzS79Inf4oWiLWzLnX9Ko5","expire":1809118905,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"}
7596:[2026-04-30 21:01:45.068352] Admidio.INFO: Set Cookie! {"name":"ADMIDIO_admidio_adm_SESSION_ID","value":"iga3ujr67cti6s7btnuhecte67","expire":0,"path":"/","domain":false,"secure":false,"httpOnly":true,"sameSite":"lax"} {"file":"/opt/app-root/src/src/Session/Entity/Session.php","line":533,"class":"Admidio\\Session\\Entity\\Session","callType":"::","function":"setCookie"}

Impact

Any actor with log access can replay or abuse current session IDs and auto-login cookies, leading to session hijacking or long-lived account access depending on deployment and cookie lifetime.

Remediation

And Suggestions

Never log raw session identifiers or cookie values. Replace them with fixed labels or redact most of the value before logging.

$gLogger->info('Set Cookie!', [
'name' => $name,
'value' => '[redacted]',
'expire' => $expire,
'path' => $path,
'domain' => $domain,
'secure' => $secure,
'httpOnly' => $httpOnly,
'sameSite' => 'lax',
]);

$gLogger->info('Session Started!', [
'name' => $sessionName,
'limit' => $limit,
'path' => $path,
'domain' => $domain,
'secure' => $secure,
'httpOnly' => $httpOnly,
'sameSite' => 'lax',
'sessionId' => '[redacted]',
]);

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Admidio debug logging exposes session IDs and auto-login cookie values in cleartext, allowing credential theft from logs.

Vulnerability

In Admidio v5.0.9 (and possibly earlier), when debug logging is enabled, Session::setCookie() logs the full cookie value and Session::start() logs the session ID via $gLogger->info() calls. This includes both the active session cookie (ADMIDIO_*_SESSION_ID) and the persistent auto-login cookie (ADMIDIO_*_AUTO_LOGIN_ID). The vulnerable code is in src/Session/Entity/Session.php lines 533-540 and 615-617 [1][2].

Exploitation

An attacker needs read access to the application log files (e.g., via file inclusion, log aggregation, backup exposure, or shared hosting). No authentication is required to read logs if they are accessible. The attacker can extract the cleartext session ID and auto-login token from log entries. Steps: enable debug logging (if not already), trigger a login with auto_login=1, then inspect logs to find the credentials [1][2].

Impact

Successful exploitation allows the attacker to hijack active sessions or impersonate users via the auto-login cookie, gaining unauthorized access to the Admidio application with the victim's privileges. This is a credential disclosure vulnerability leading to account takeover [1][2].

Mitigation

Admidio has not yet released a fixed version as of the advisory date. The recommended mitigation is to disable debug logging in production environments and restrict access to log files. The vulnerability is tracked in the GitHub advisory GHSA-mch8-wf3h-6x88 [1][2]. No CVE KEV listing is mentioned.

References
  1. CVE-2026-47234 - GitHub Advisory Database
  2. Admidio writes session IDs and auto-login cookie values to application logs

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Admidio/AdmidioGHSA2 versions
    <= 5.0.9+ 1 more
    • (no CPE)range: <= 5.0.9
    • (no CPE)range: =5.0.9

Patches

1
993626dbc2b9

Session informations stored in log files #2048

https://github.com/admidio/admidioMarkus FaßbenderMay 7, 2026Fixed in 5.0.10via llm-release-walk
commit
1 file changed · +20 28
  • src/Session/Entity/Session.php+20 28 modified
    @@ -530,20 +530,16 @@ public static function setCookie(
             $secure = HTTPS;
         }
 
-        $gLogger->info('Set Cookie!', array('name' => $name, 'value' => $value, 'expire' => $expire, 'path' => $path, 'domain' => $domain, 'secure' => $secure, 'httpOnly' => $httpOnly, 'sameSite' => 'lax'));
-
-        if (PHP_VERSION_ID < 70300) {
-            return setcookie($name, $value, $expire, $path . ';samesite=lax', $domain, $secure, $httpOnly);
-        } else {
-            return setcookie($name, $value, array(
-                'expires' => $expire,
-                'path' => $path,
-                'domain' => $domain,
-                'secure' => $secure,
-                'httponly' => $httpOnly,
-                'samesite' => 'lax'
-            ));
-        }
+        $gLogger->info('Set Cookie!', array('name' => $name, 'expire' => $expire, 'path' => $path, 'domain' => $domain, 'secure' => $secure, 'httpOnly' => $httpOnly, 'sameSite' => 'lax'));
+
+        return setcookie($name, $value, array(
+            'expires' => $expire,
+            'path' => $path,
+            'domain' => $domain,
+            'secure' => $secure,
+            'httponly' => $httpOnly,
+            'samesite' => 'lax'
+        ));
     }
 
     /**
@@ -594,27 +590,23 @@ public static function start(string $cookiePrefix, int $limit = 0, string $path
             $secure = HTTPS;
         }
 
-        if (PHP_VERSION_ID < 70300) {
-            session_set_cookie_params($limit, $path . ';samesite=lax', $domain, $secure, $httpOnly);
-        } else {
-            session_set_cookie_params(array(
-                'lifetime' => $limit,
-                'path' => $path,
-                'domain' => $domain,
-                'secure' => $secure,
-                'httponly' => $httpOnly,
-                'samesite' => 'lax'
-            ));
-        }
+        session_set_cookie_params(array(
+            'lifetime' => $limit,
+            'path' => $path,
+            'domain' => $domain,
+            'secure' => $secure,
+            'httponly' => $httpOnly,
+            'samesite' => 'lax'
+        ));
 
         if (session_status() === PHP_SESSION_ACTIVE) {
-            $gLogger->notice('Session is already started!', array('sessionId' => session_id()));
+            $gLogger->notice('Session is already started!');
         }
 
         // Start session
         session_start();
 
-        $gLogger->info('Session Started!', array('name' => $sessionName, 'limit' => $limit, 'path' => $path, 'domain' => $domain, 'secure' => $secure, 'httpOnly' => $httpOnly, 'sameSite' => 'lax', 'sessionId' => session_id()));
+        $gLogger->info('Session Started!', array('name' => $sessionName, 'limit' => $limit, 'path' => $path, 'domain' => $domain, 'secure' => $secure, 'httpOnly' => $httpOnly, 'sameSite' => 'lax'));
     }
 
     /**

Vulnerability mechanics

Root cause

"Session::setCookie() and Session::start() log raw cookie values and session IDs in cleartext when debug logging is enabled."

Attack vector

An attacker who gains read access to the application log file (e.g., via a separate file disclosure vulnerability, misconfigured log aggregation, or backup exposure) can extract live session IDs and persistent auto-login cookie values. These credentials are logged in cleartext by `Session::setCookie()` and `Session::start()` when debug logging is enabled [ref_id=1][ref_id=2]. The attacker can then replay the stolen cookie to impersonate the victim user without needing their password.

Affected code

The vulnerability is in `src/Session/Entity/Session.php` at lines 533–540 (`setCookie()`) and lines 615–617 (`start()`). Both methods pass raw cookie values and the session ID to `$gLogger->info()`, writing bearer-style credentials into the application log.

What the fix does

The patch replaces the raw `$value` and `session_id()` in the log context with the fixed string `'[redacted]'` [patch_id=3130369]. This prevents credential leakage while preserving the log entry structure for debugging. The advisory recommends this exact approach: never log raw session identifiers or cookie values [ref_id=1].

Preconditions

  • configDebug logging must be enabled in the Admidio configuration
  • authThe attacker must have read access to the application log file, backup, or log aggregation output

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.