admidio CVE Vulnerabilities & Metrics

Focus on admidio vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About admidio Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with admidio. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total admidio CVEs: 14
Earliest CVE date: 24 Nov 2008, 17:30 UTC
Latest CVE date: 22 Nov 2023, 15:15 UTC

Latest CVE reference: CVE-2023-47380

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical admidio CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.88

Max CVSS: 9.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	9
4.0-6.9	5
7.0-8.9	0
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS admidio CVEs

These are the five CVEs with the highest CVSS scores for admidio, sorted by severity first and recency.

CVE-2017-6492 admidio Published on 05 Mar 2017, 20:59 UTC (CVSS: 9.0)
SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization.
CVE-2021-32630 admidio Published on 20 May 2021, 17:15 UTC (CVSS: 6.5)
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind ...
CVE-2022-0991 admidio Published on 19 Mar 2022, 08:15 UTC (CVSS: 6.4)
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.
CVE-2020-11004 admidio Published on 24 Apr 2020, 21:15 UTC (CVSS: 5.0)
SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in v...
CVE-2008-5209 admidio Published on 24 Nov 2008, 17:30 UTC (CVSS: 5.0)
Directory traversal vulnerability in modules/download/get_file.php in Admidio 1.4.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

All CVEs for admidio

CVE-2023-47380 admidio vulnerability CVSS: 0 22 Nov 2023, 15:15 UTC

Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS).

CVE-2023-4190 admidio vulnerability CVSS: 0 06 Aug 2023, 01:15 UTC

Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11.

CVE-2023-3692 admidio vulnerability CVSS: 0 16 Jul 2023, 01:15 UTC

Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10.

CVE-2023-3304 admidio vulnerability CVSS: 0 23 Jun 2023, 13:15 UTC

Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

CVE-2023-3303 admidio vulnerability CVSS: 0 23 Jun 2023, 13:15 UTC

Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

CVE-2023-3302 admidio vulnerability CVSS: 0 23 Jun 2023, 13:15 UTC

Improper Neutralization of Formula Elements in a CSV File in GitHub repository admidio/admidio prior to 4.2.9.

CVE-2023-3109 admidio vulnerability CVSS: 0 05 Jun 2023, 16:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository admidio/admidio prior to 4.2.8.

CVE-2022-23896 admidio vulnerability CVSS: 3.5 28 Jun 2022, 13:15 UTC

Admidio 4.1.2 version is affected by stored cross-site scripting (XSS).

CVE-2022-0991 admidio vulnerability CVSS: 6.4 19 Mar 2022, 08:15 UTC

Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.

CVE-2021-43810 admidio vulnerability CVSS: 4.3 07 Dec 2021, 22:15 UTC

Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.

CVE-2021-32630 admidio vulnerability CVSS: 6.5 20 May 2021, 17:15 UTC

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.0.4, there is an authenticated RCE via .phar file upload. A php web shell can be uploaded via the Documents & Files upload feature. Someone with upload permissions could rename the php shell with a .phar extension, visit the file, triggering the payload for a reverse/bind shell. This can be mitigated by excluding a .phar file extension to be uploaded (like you did with .php .phtml .php5 etc). The vulnerability is patched in version 4.0.4.

CVE-2020-11004 admidio vulnerability CVSS: 5.0 24 Apr 2020, 21:15 UTC

SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13.

CVE-2017-8382 admidio vulnerability CVSS: 3.5 16 May 2017, 10:29 UTC

admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.

CVE-2017-6492 admidio vulnerability CVSS: 9.0 05 Mar 2017, 20:59 UTC

SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization.

CVE-2008-5209 admidio vulnerability CVSS: 5.0 24 Nov 2008, 17:30 UTC

Directory traversal vulnerability in modules/download/get_file.php in Admidio 1.4.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.