FKIE_CVE-2026-32757

Vulnerability from fkie_nvd - Published: 2026-03-20 00:16 - Updated: 2026-03-23 16:52
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7.
References
security-advisories@github.comhttps://github.com/Admidio/admidio/releases/tag/v5.0.7Release Notes
security-advisories@github.comhttps://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wjExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
admidio admidio *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27",
              "versionEndExcluding": "5.0.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST[\u0027ecard_message\u0027] value instead of the HTMLPurifier-sanitized $formValues[\u0027ecard_message\u0027] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients\u0027 email clients. This issue has been fixed in version 5.0.7."
    },
    {
      "lang": "es",
      "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. En las versiones 5.0.6 e inferiores, el gestor de env\u00edo de eCard utiliza un valor $_POST[\u0027ecard_message\u0027] sin procesar en lugar del $formValues[\u0027ecard_message\u0027] saneado por HTMLPurifier al construir el HTML de la tarjeta de felicitaci\u00f3n. Esto permite a un atacante autenticado inyectar HTML y JavaScript arbitrarios en correos electr\u00f3nicos de tarjetas de felicitaci\u00f3n enviados a otros miembros, eludiendo el saneamiento de HTMLPurifier del lado del servidor que se aplica correctamente al campo ecard_message durante la validaci\u00f3n del formulario. Un ataque puede resultar en que cualquier miembro o rol reciba contenido de phishing que parezca leg\u00edtimo, pasando de la aplicaci\u00f3n web a los clientes de correo electr\u00f3nico de los destinatarios. Este problema ha sido solucionado en la versi\u00f3n 5.0.7."
    }
  ],
  "id": "CVE-2026-32757",
  "lastModified": "2026-03-23T16:52:29.850",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T00:16:16.930",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.