Can you explain this vulnerability to me?

This vulnerability exists in Admidio versions prior to 5.0.8. The create_user, assign_member, and assign_user actions in the registration module approve pending user registrations via GET requests without validating a CSRF token. This means these actions perform irreversible state changes without protection against Cross-Site Request Forgery attacks.

An attacker who has submitted a pending registration can obtain their own user UUID from the registration confirmation email URL and then trick a user with the rol_approve_users right into visiting a crafted URL. This URL automatically approves the registration, bypassing the manual approval workflow.

This issue was fixed in version 5.0.8 by adding proper CSRF token validation.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability allows an attacker to bypass the manual user registration approval process by tricking an authorized user into visiting a malicious URL. This can lead to unauthorized user accounts being approved automatically.

As a result, unauthorized users could gain access to the system with roles or permissions that should have been manually approved, potentially leading to privilege escalation or unauthorized actions within the application.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Admidio version 5.0.8. Immediate mitigation involves upgrading Admidio to version 5.0.8 or later.

Until the upgrade can be performed, restrict or monitor access to the modules/registration.php file, especially the create_user, assign_member, and assign_user action modes, to prevent unauthorized GET requests that approve user registrations without CSRF token validation.

Additionally, review and limit the users who have the rol_approve_users right to reduce the risk of exploitation.

Useful 0 Not Useful 0