Cross-site Scripting (XSS) - Reflected in admidio/admidio


Reported on

Oct 18th 2021


Possible to perform reflected XSS by using double URL encoding when retrieving files

Proof of Concept

Trigger XSS via


Possible trick admin users to visit the malicious link, executing the XSS and allowing cookies to be stolen, it is also possible to execute actions as admin user via malicious Javascript.


html sanitisation should be done after all input has been transformed

We have contacted a member of the admidio team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
Markus Faßbender validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus Faßbender marked this as fixed with commit 01a83d 2 years ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation