Home > Vulnerability Database > CVE-2020-11004

Mend.io Vulnerability Database

CVE-2020-11004

Date: April 24, 2020

SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13.

Language: PHP

Severity Score

7.7

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-11004

Url: https://github.com/Admidio/admidio/commit/ea5d6f114b151ed11ec0ad7cb47bd729e77a874a

Url: https://github.com/Admidio/admidio/security/advisories/GHSA-qh57-rcff-gx54

Url: https://github.com/Admidio/admidio/issues/908

Url: https://www.mend.io/vulnerability-database/CVE-2020-11004

Severity Score

7.7

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

CVSS v3.1

Base Score:	7.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-11004

Date: April 24, 2020

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?