Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Jan 4th 2022

Description

I can create links using the Web links feature. However, since the input value is not URL-encoded, the onfocus and autofocus properties can be used by escaping the properties of the "A" tag using double quotation marks (").

Proof of Concept

https://google.com/"//autofocus//onfocus="alert(document.domain)"//b="

1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php and Login
2. Go to "Web-Link" > "Create new link"
3. Fill in all the input values, enter the above PoC as the value of the Link address, and save it.
4. Click on the saved link

Video : https://www.youtube.com/watch?v=9TZZwSixeCc

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the admidio team within 24 hours. 2 years ago
Pocas modified the report
2 years ago
We have contacted a member of the admidio team and are waiting to hear back 2 years ago
Markus Faßbender validated this vulnerability 2 years ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Pocas
2 years ago

Researcher

Hello Markus Faßbender, Can you request a CVE?

Markus Faßbender marked this as fixed in all with commit d86f98 2 years ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
links_new.php#L77L82 has been validated
to join this conversation