DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-G375-5WMP-XR78: GHSA-g375-5wmp-xr78: Missing Authorization Allows Arbitrary Forum Deletion in Admidio

#security #cve #cybersecurity #ghsa

GHSA-g375-5wmp-xr78: Missing Authorization Allows Arbitrary Forum Deletion in Admidio

Vulnerability ID: GHSA-G375-5WMP-XR78
CVSS Score: 6.5
Published: 2026-03-16

Admidio versions 5.0.0 through 5.0.6 contain a missing authorization vulnerability within the forum module. This flaw permits any authenticated user, regardless of their privilege level, to permanently delete arbitrary forum topics and posts. The underlying issue is located in the request handler for the forum module, which validates CSRF tokens but fails to verify object ownership or administrative rights before executing data deletion operations.

TL;DR

A missing authorization flaw in Admidio's forum module (versions 5.0.0-5.0.6) allows any authenticated user to delete arbitrary topics and posts by supplying a valid CSRF token and the target object's UUID.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5
  • Impact: High Integrity (Data Destruction)
  • Exploit Status: PoC Available
  • Authentication Required: Yes (Low Privilege)

Affected Systems

  • Admidio 5.0.0
  • Admidio 5.0.1
  • Admidio 5.0.2
  • Admidio 5.0.3
  • Admidio 5.0.4
  • Admidio 5.0.5
  • Admidio 5.0.6
  • Admidio: 5.0.0 - 5.0.6 (Fixed in: 5.0.7)

Exploit Details

  • Researcher PoC: cURL command demonstrating direct object deletion via the forum.php endpoint

Mitigation Strategies

  • Update the Admidio application to the patched version (5.0.7 or later).
  • Monitor web access logs for unauthorized POST requests targeting the deletion endpoints.
  • Implement regular database backups to ensure forum data can be restored in the event of unauthorized deletion.

Remediation Steps:

  1. Download Admidio version 5.0.7 from the official repository.
  2. Backup the existing Admidio database and file system.
  3. Replace the core application files, specifically ensuring modules/forum.php is overwritten with the patched version.
  4. Verify that standard users can no longer delete forum topics they do not own.

References

Read the full report for GHSA-G375-5WMP-XR78 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)