CVE-2024-38529: 
PHP vulnerability analysis and mitigation

CVE-2024-38529 is a Remote Code Execution (RCE) vulnerability discovered in Admidio, a free, open-source user management system for websites of organizations and groups. The vulnerability affects versions prior to 4.3.10 and was disclosed on July 29, 2024. The flaw exists in the Message module of the Admidio Application, where attackers can upload malicious PHP files as attachments (GitHub Advisory, NVD).

The vulnerability stems from the lack of file extension verification in the Message module's attachment functionality. Uploaded files can be accessed publicly through the URL pattern {admidio_base_url}/adm_my_files/messages_attachments/{file_name}. The vulnerability has received a CVSS v3.1 base score of 9.0 (Critical) from GitHub and 8.8 (High) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD, GitHub Advisory).

The vulnerability allows attackers to upload PHP web shells that can execute arbitrary OS commands on the server, potentially leading to complete compromise of the application server. Attackers can execute arbitrary code, access and modify sensitive data, install malicious software, gain access to internal networks, and disrupt hosted services (GitHub Advisory, Security Online).

The vulnerability has been fixed in Admidio version 4.3.10. The patch implements strict file extension verification to ensure that only allowed file types can be uploaded, rejecting files with disallowed or suspicious extensions such as .php, .phtml, and .exe. Organizations are strongly advised to update their Admidio installations to version 4.3.10 immediately (ASEC, GitHub Advisory).