Reflected XSS at upload file in admidio/admidio
Jul 17th 2023
1/ Access to the demo website and login (at this case I used user admin)
2/ At function upload photo to an album, try upload a file with the name is payload XSS.
3/ The payload will be triggered at error content.
Proof of Concept
Video PoC: https://drive.google.com/file/d/1FyK2Oko0bEEAUbUmDoxP4LAls_2uMqeD/view?usp=sharing
Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.