CVE-2024-47836: HTML Injection Vulnerability in Admidio User Management

Author
Updated: January 3rd, 2025
1 min read
CVE-2024-47836: HTML Injection Vulnerability in Admidio User Management

Product Name: Admidio/admidio
Vulnerability: HTML Injection
Vulnerable Version: v4.3.11
CVE: CVE-2024-47836here

On October 9, 2024, the security researchers at Astra Security found an HTML injection vulnerability in the messages section of the Admidio User Management solution. The vulnerability, assigned CVE-2024-47836, allows attackers to inject arbitrary HTML content into the application, which could manipulate webpage behavior, mislead users, and act as a precursor to further attacks.

CVE-2024-47836: Technical Breakdown

How Was It Discovered?

Astra researchers tested Admidio for security vulnerabilities and discovered that the user input was improperly sanitized, allowing the injection of untrusted HTML content tags.

How To Recreate This Vulnerability?

Insert the following payload in the message section:

Testing<br><h1>HTML</h1><br><h2>Injection</h2>

Upon submission, the untrusted HTML content tags get reflected as rendered HTML on the application’s front end.

Impact of HTML Injection

Data Theft & Session Hijacking

Sensitive data like cookies, session tokens, and user credentials can be stolen, and leveraging this vulnerability allows attackers to hijack active sessions and gain unauthorized access to the user accounts.

Phishing Attacks

Attackers can use the HTML Injection vulnerability to insert fake login forms, contact forms, or questionnaires to extract sensitive user information and use it to their advantage for further exploitation.

Website Defacement

Attackers can make malicious modifications to the website content that impact the appearance and trust of the website. They can also inject advertisements on the web pages and disrupt the user experience.

shield

Why Astra is the best in pentesting?

  • We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform.
  • Vetted scans ensure zero false positives.
  • Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest.
  • Astra’s scanner helps you shift left by integrating with your CI/CD.
  • Our platform helps you uncover, manage & fix vulnerabilities in one place.
  • Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.
cto

Current Status and Mitigation

After discovering the vulnerability, the Admidio team was promptly notified, and they acknowledged the vulnerability in the affected version v4.3.11. The issue was mitigated with a patch in the v4.3.12 released by the team, sanitizing the user input. 

What Can You Do?

Update the affected version to the latest version of the Admidio User Management Software.