Cross-site Scripting (XSS) - Stored in admidio/admidio


Reported on

Dec 20th 2021


When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. (If an administrator adds a menu, normal users can click it too.)

Proof of Concept

1. Open the
2. Log in as administrator
3. Go to
4. Fill in the field and pass javascript:alert(document.domain) as the URL value.
5. Click Saved Menu

Video :


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the admidio team within 24 hours. 2 years ago
2 years ago


Hello! I discovered Stored XSS. Can you assign a CVE for this too? thank you!

Markus Faßbender validated this vulnerability 2 years ago
p0cas has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


When will the status update be done?

Adam Nygate marked this as fixed in 4.0.13 with commit 56a0bd 2 years ago
The fix bounty has been dropped
Adam Nygate
2 years ago


Confirmed fixed with information from

to join this conversation