Admidio Missing Authorization Vulnerability in Inventory Module Destructive Operations

A vulnerability exists in the Admidio inventory module prior to version 5.0.9, where authorization for destructive actions such as deleting, retiring, and reinstating items is enforced only at the user interface level. The backend POST handlers for these operations perform Cross-Site Request Forgery (CSRF) validation but fail to verify if the user has inventory administrator rights. As a result, any authenticated user with access to the inventory module can permanently delete inventory items and their associated data. This issue has been patched in version 5.0.9.

Impact

This vulnerability allows any authenticated user to permanently delete inventory items and all related data, including item fields and borrow records, without any possibility of recovery. The deletion is irreversible unless database backups are available. Additionally, the same lack of authorization allows non-admin users to retire or reinstate items and manage item pictures, effectively bypassing the intended permission controls. In environments where Admidio's inventory module is used to manage physical assets, this could lead to the complete loss of an organization's inventory records.

Reproduction

To reproduce this vulnerability, log into an Admidio instance with the inventory module enabled (default setting) as a regular user without inventory admin rights. Access the inventory list to retrieve item UUIDs, then use the 'item_delete' POST handler to delete items. This can be done for individual items or in bulk by sending multiple UUIDs in a single request.

Remediation

Users are advised to update to Admidio version 5.0.9 or later, where this vulnerability has been fixed.