Cross-Site Scripting (Stored XSS) in admidio/admidio

Valid

Reported on

May 29th 2023

Description

With Association's board role, i can add a new web link. But, when i create a link, in Link name input field can insert an onfocus/autofocus attribute because do not processing for double quote.

Proof of Concept

  1. Login by account with Association's board role
  2. Access funtion Web links and create new link
  3. Fill all input, at Link name input field, use payload xss" onfocus="alert(document.domain) and save
  4. Login by account with Administrator role
  5. Access funtion Web links and perform edit Web link
  6. XSS payload will be automatically executed

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the admidio team within 24 hours. 6 months ago
We have contacted a member of the admidio team and are waiting to hear back 6 months ago
Markus Faßbender validated this vulnerability 6 months ago
quanghuy25112000 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Markus Faßbender marked this as fixed in 4.2.8 with commit a7c211 6 months ago
Markus Faßbender has been awarded the fix bounty
This vulnerability has been assigned a CVE
Markus Faßbender published this vulnerability 6 months ago
to join this conversation