Cross-site Scripting (XSS) - Stored in admidio/admidio
Jan 13th 2022
I can send a message. In the here, I can create a link. But, when i create a link, I can use an onfocus/autofocus attribute after escape the href attribute because do not processing for double quote
Proof of Concept
1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php 2. Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php 3. Click Send Message to Anyone 4. And click the creating url button, Enter the google.com/"autofocus//onfocus="alert(document.domain and Send 5. Go to message I sended Video : https://www.youtube.com/watch?v=4yjaSFDmhFY
Through this vulnerability, an attacker is capable to execute malicious scripts.