ReportizFlow
Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Admidio |
|
No data.
No data.
References
History
Thu, 07 May 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 07 May 2026 05:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Admidio
Admidio admidio |
|
| Vendors & Products |
Admidio
Admidio admidio |
Thu, 07 May 2026 04:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9. | |
| Title | Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write, and Email Send | |
| Weaknesses | CWE-352 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-05-07T03:00:11.696Z
Updated: 2026-05-07T12:41:41.736Z
Reserved: 2026-04-21T23:58:43.804Z
Link: CVE-2026-41663
Vulnrichment
Updated: 2026-05-07T12:41:11.049Z
NVD
Status : Deferred
Published: 2026-05-07T04:16:30.243
Modified: 2026-05-07T14:51:01.740
Link: CVE-2026-41663
Redhat
No data.