Admidio Cross-Organization Data Exposure Vulnerability in User Management Endpoint

A vulnerability in Admidio's user management system prior to version 5.0.9 allows user managers to bypass organization isolation and access all user records across different organizations. This issue arises from a permission check mismatch in the 'contacts_data.php' endpoint, which uses a weaker authorization method than the frontend 'contacts.php' page. As a result, a user manager can exploit this vulnerability to retrieve sensitive information, including full names, email addresses, login names, and other profile details, from all organizations sharing the same database.

Impact

Exploitation of this vulnerability leads to unauthorized access to member data from all organizations in a multi-tenant Admidio deployment, bypassing intended organization isolation. This allows for the exfiltration of sensitive information such as full names, email addresses, login names, and user UUIDs, which could be used to target other API endpoints.

Reproduction

To reproduce this vulnerability, log in as a user manager account in an Admidio instance with at least two organizations sharing the same database. Ensure the account has 'rol_edit_user' but not 'rol_administrator'. Capture the session cookie and send a request to the 'contacts_data.php' endpoint with 'mem_show_filter' set to 3. The response will include all user records from all organizations, including those from organizations where the user has no membership, thus demonstrating the bypass of organization isolation.

Remediation

Users are advised to update to Admidio version 5.0.9, where this vulnerability has been patched.