Cross-site Scripting (XSS) - Stored in admidio/admidioValid
Dec 31st 2021
When editing your profile, you can create social media links. However, the stored XSS vulnerability using the
onfocus attributes occurs because the
double-quote is not URL-encoded in the input value of the social media link.
Proof of Concept
1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php and Login as to member 2. Go to "My Profile" -> "Edit Profile" 3. In the FaceBook URL field, type `asdf" autofocus onfocus="alert(document.domain)` and save. 4. Now, whenever an administrator or general user accesses my profile, XSS occurs. Video : https://www.youtube.com/watch?v=AA86NeM8sdA
Through this vulnerability, an attacker is capable to execute malicious scripts.