A critical vulnerability in Admidio's document management module allows unauthenticated or unauthorized users to permanently delete the entire document library through manipulated HTTP requests.

The application fails to perform proper authorization checks for file and folder deletion, only verifying view-level access. Furthermore, the lack of CSRF protection allows an unauthenticated attacker to trigger deletions via simple GET requests if the module is in public mode.

This vulnerability poses a significant risk to data availability and business continuity. An attacker can achieve a total denial of service for the document library by wiping all files. For organizations relying on Admidio for user management and document storage, this could lead to the permanent loss of sensitive records and significant reputational damage. The CVSS score of 9.1 reflects this high impact on availability.

Immediate Action: Upgrade Admidio to version 5.0.7 immediately to introduce proper permission validation and CSRF protection for the documents module.

Proactive Monitoring: Review web server logs for suspicious GET requests targeting modules/documents-files.php with folder_delete or file_delete actions.

Compensating Controls: If immediate updates are not possible, disable the "Documents and Files" module or set documents_files_module_enabled to 0 in the application configuration.

Public Exploit Available: false

The ability for unauthenticated users to destroy a document library is a critical security failure. Administrators must apply the version 5.0.7 patch immediately. Ensure that backups of the document library are verified and stored securely to mitigate the impact of potential data loss incidents.