Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Dec 31st 2021


Description

When editing your profile, you can create social media links. However, the stored XSS vulnerability using the autofocus and onfocus attributes occurs because the double-quote is not URL-encoded in the input value of the social media link.

Proof of Concept

1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php and Login as to member
2. Go to "My Profile" -> "Edit Profile"
3. In the FaceBook URL field, type `asdf" autofocus onfocus="alert(document.domain)` and save.
4. Now, whenever an administrator or general user accesses my profile, XSS occurs.

Video : https://www.youtube.com/watch?v=AA86NeM8sdA

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

Occurences

I couldn't find the exact code. sorry.

We are processing your report and will contact the admidio team within 24 hours. a month ago
Pocas
a month ago

Researcher


https://www.huntr.dev/bounties/d3f3ce78-4a30-457d-982e-70d74e68efeb/

And, maintainer, I would like to be assigned a CVE for the vulnerability to the above URL. And please assign a total of 2 CVEs including the report you just reported! thank you!

Pocas modified their report
a month ago
We have contacted a member of the admidio team and are waiting to hear back a month ago
admidio/admidio maintainer validated this vulnerability a month ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus Faßbender confirmed that a fix has been merged on 0e4bce 18 days ago
Markus Faßbender has been awarded the fix bounty
profile.php#L1L925 has been validated
Markus
18 days ago

Maintainer


Hi Pocas, thanks for the research. I don't know how to request a CVE through this platform.