PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-6492 Admidio CVE debrief

CVE-2017-6492 describes a SQL injection vulnerability in Admidio 3.2.5 affecting the dates_function.php code path. The issue is caused by concatenating the POST parameter dat_cat_id directly into a SQL query without input validation or sanitization. NVD rates the issue as CVSS 3.0 7.2 (HIGH) and maps it to CWE-89.

Vendor
Admidio
Product
CVE-2017-6492
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-05
Original CVE updated
2026-05-13
Advisory published
2017-03-05
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for Admidio deployments, especially instances running version 3.2.5 or code derived from the affected module. Because the NVD vector includes PR:H, the main concern is abuse by a user with elevated application privileges rather than an unauthenticated attacker.

Technical summary

According to the CVE description, adm_program/modules/dates/dates_function.php in Admidio 3.2.5 concatenates the POST parameter dat_cat_id into a SQL query without validation or sanitization. NVD classifies the weakness as CWE-89 (SQL Injection) and assigns CVSS 3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network reachability but requiring high privileges. The vulnerable CPE entry explicitly marks cpe:2.3:a:admidio:admidio:3.2.5 as affected.

Defensive priority

High. The score is in the high range, and the impact can include confidentiality, integrity, and availability loss. At the same time, the PR:H requirement means exposure is most concerning where privileged Admidio accounts exist or where privilege boundaries are weak.

Recommended defensive actions

  • Confirm whether any vendor update or downstream package release addresses CVE-2017-6492, and deploy it if available.
  • Restrict access to the affected Admidio functions to least-privileged, trusted accounts only.
  • Review the affected code path for parameterized queries and server-side validation of dat_cat_id and related inputs.
  • Monitor application and database logs for unusual SQL patterns or unexpected activity around the dates module.
  • If abuse is suspected, rotate affected credentials and validate database integrity and account permissions.

Evidence notes

The supplied corpus is consistent across the CVE description and NVD metadata: the vulnerable component is Admidio 3.2.5, the flaw is SQL injection in adm_program/modules/dates/dates_function.php, and the POST parameter dat_cat_id is concatenated into a SQL query without validation/sanitization. NVD also provides the CVSS 3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H and CWE-89 classification. Reference metadata includes a SecurityFocus BID entry and a third-party GitHub advisory/exploit repository; those are noted for corroboration only.

Official resources

CVE-2017-6492 was published on 2017-03-05T20:59:00.637Z. The provided NVD source metadata was last modified on 2026-05-13T00:24:29.033Z. Timing in this debrief follows the CVE publication date, not the later metadata update.