Admidio Inventory Module CSRF and Validation Bypass Vulnerability

A vulnerability in the Admidio inventory module prior to version 5.0.8 allows authenticated users to bypass Cross-Site Request Forgery (CSRF) protection and server-side form validation. The issue arises in the 'item_save' endpoint, where a user-controllable POST parameter 'imported' can be set to true. This bypasses essential validation checks, enabling the saving of arbitrary inventory item data without proper oversight. The vulnerability has been patched in version 5.0.8.

Impact

Exploitation of this vulnerability allows for CSRF attacks, where an attacker can trick a logged-in user into modifying inventory data. Additionally, the bypassed validation could lead to stored Cross-Site Scripting (XSS) vulnerabilities, as unsanitized input might be saved and later displayed to users.

Reproduction

To reproduce this vulnerability, send a POST request to the 'item_save' endpoint of the inventory module with the 'imported' parameter set to true. Include a valid CSRF token and any inventory item data. The server will process the request without applying CSRF validation or form data checks, allowing the arbitrary data to be saved.

Remediation

Users should update to Admidio version 5.0.8 or later, where this vulnerability has been fixed.