TROYANOSYVIRUS
Voltar para CVEs

CVE-2026-34384

MEDIUM
4.5

Descricao

Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which correctly validates the token), these three approval actions read their parameters from $_GET and perform irreversible state changes without any protection. An attacker who has submitted a pending registration can extract their own user UUID from the registration confirmation email URL, then trick any user with the rol_approve_users right into visiting a crafted URL that automatically approves the registration. This bypasses the manual registration approval workflow entirely. This issue has been patched in version 5.0.8.

Detalhes CVE

Pontuacao CVSS v3.14.5
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosHIGH
Interacao do usuarioREQUIRED
Publicado3/31/2026
Ultima modificacao4/1/2026
Fontenvd
Avistamentos honeypot0

Produtos afetados

admidio:admidio

Fraquezas (CWE)

CWE-352

Referencias

https://github.com/Admidio/admidio/commit/707171c188b3e8f36007fc3f2bccbfac896ed019(security-advisories@github.com)
https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22(security-advisories@github.com)
https://github.com/Admidio/admidio/security/advisories/GHSA-ph84-r98x-2j22(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.