Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Dec 31st 2021

Description

When editing your profile, you can create social media links. However, the stored XSS vulnerability using the autofocus and onfocus attributes occurs because the double-quote is not URL-encoded in the input value of the social media link.

Proof of Concept

1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php and Login as to member
2. Go to "My Profile" -> "Edit Profile"
3. In the FaceBook URL field, type `asdf" autofocus onfocus="alert(document.domain)` and save.
4. Now, whenever an administrator or general user accesses my profile, XSS occurs.

Video : https://www.youtube.com/watch?v=AA86NeM8sdA

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

Occurrences

I couldn't find the exact code. sorry.

We are processing your report and will contact the admidio team within 24 hours. a year ago
Pocas
a year ago

Researcher

https://www.huntr.dev/bounties/d3f3ce78-4a30-457d-982e-70d74e68efeb/

And, maintainer, I would like to be assigned a CVE for the vulnerability to the above URL. And please assign a total of 2 CVEs including the report you just reported! thank you!

Pocas modified the report
a year ago
We have contacted a member of the admidio team and are waiting to hear back a year ago
admidio/admidio maintainer validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus Faßbender marked this as fixed in all with commit 0e4bce a year ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
profile.php#L1L925 has been validated
Markus
a year ago

Hi Pocas, thanks for the research. I don't know how to request a CVE through this platform.

to join this conversation