Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Dec 31st 2021


Description

When editing your profile, you can create social media links. However, the stored XSS vulnerability using the autofocus and onfocus attributes occurs because the double-quote is not URL-encoded in the input value of the social media link.

Proof of Concept

1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php and Login as to member
2. Go to "My Profile" -> "Edit Profile"
3. In the FaceBook URL field, type `asdf" autofocus onfocus="alert(document.domain)` and save.
4. Now, whenever an administrator or general user accesses my profile, XSS occurs.

Video : https://www.youtube.com/watch?v=AA86NeM8sdA

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

Occurrences

I couldn't find the exact code. sorry.

We are processing your report and will contact the admidio team within 24 hours. 2 years ago
Pocas
2 years ago

Researcher


https://www.huntr.dev/bounties/d3f3ce78-4a30-457d-982e-70d74e68efeb/

And, maintainer, I would like to be assigned a CVE for the vulnerability to the above URL. And please assign a total of 2 CVEs including the report you just reported! thank you!

Pocas modified the report
2 years ago
We have contacted a member of the admidio team and are waiting to hear back 2 years ago
admidio/admidio maintainer validated this vulnerability 2 years ago
p0cas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus Faßbender marked this as fixed in all with commit 0e4bce 2 years ago
Markus Faßbender has been awarded the fix bounty
profile.php#L1L925 has been validated
Markus
2 years ago

Maintainer


Hi Pocas, thanks for the research. I don't know how to request a CVE through this platform.

to join this conversation