# Exploit Title: Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions) # Author: Nawaf Alkeraithe # Date: 2018-09-01 # Vendor Homepage: https://www.admidio.org/ # Software Link: https://sourceforge.net/projects/admidio/files/Admidio/3.3.x/admidio-3.3.5.zip/download # Version: 3.3.5 # Tested on: PHP # CVE: N/A # Description: # Low Privilage users are able to increase their permissions due to improper origin checking # by the vendor.

rol_name
rol_description
rol_cat_id
rol_mail_this_role
rol_this_list_view
rol_leader_rights
rol_lst_id
rol_default_registration
rol_max_members
rol_cost
rol_cost_period
rol_assign_roles
rol_all_lists_view
rol_approve_users
rol_edit_user
rol_mail_to_all
rol_profile
rol_announcements
rol_dates
rol_photo
rol_download
rol_guestbook
rol_guestbook_comments
rol_weblinks
rol_start_date
rol_end_date
rol_start_time
rol_end_time
rol_weekday
rol_location
btn_save