{"id":"CVE-2020-11004","details":"SQL Injection was discovered in Admidio before version 3.3.13. The main cookie parameter is concatenated into a SQL query without any input validation/sanitization, thus an attacker without logging in, can send a GET request with arbitrary SQL queries appended to the cookie parameter and execute SQL queries. The vulnerability impacts the confidentiality of the system. This has been patched in version 3.3.13.","modified":"2026-04-10T04:21:41.059333Z","published":"2020-04-24T21:15:13.747Z","related":["GHSA-qh57-rcff-gx54"],"references":[{"type":"ADVISORY","url":"https://github.com/Admidio/admidio/issues/908"},{"type":"ADVISORY","url":"https://github.com/Admidio/admidio/security/advisories/GHSA-qh57-rcff-gx54"},{"type":"FIX","url":"https://github.com/Admidio/admidio/commit/ea5d6f114b151ed11ec0ad7cb47bd729e77a874a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/admidio/admidio","events":[{"introduced":"0"},{"fixed":"ea5d6f114b151ed11ec0ad7cb47bd729e77a874a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.3.13"}]}}],"versions":["3.0-Beta.1","3.0-Beta.3","v3.0.6","v3.1.5","v3.2-Beta.1","v3.3-Beta.1","v3.3-Beta.2","v3.3-Beta.3","v3.3-Beta.4","v3.3.0","v3.3.1","v3.3.10","v3.3.11","v3.3.12","v3.3.3","v3.3.5","v3.3.6","v3.3.7","v3.3.8","v3.3.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11004.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}