Cross-site Scripting (XSS) - Reflected in admidio/admidio

Valid

Reported on

Dec 5th 2021

Description

The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Using javascript: throws an error in parsing the url. But I bypassed it using javascript://%0A.

Proof of Concept

1. Open the https://www.admidio.org/demo_en/adm_program/system/redirect.php?url=javascript://%250aalert(document.domain)
2. If you click the `here`, you can see that occur a xss!

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the admidio team within 24 hours. 2 years ago

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

Markus Faßbender validated this vulnerability 2 years ago

Pocas has been awarded the disclosure bounty

The fix bounty is now up for grabs

Pocas

commented 2 years ago

Researcher

https://www.cvedetails.com/vulnerability-list/vendor_id-8817/Admidio.html
https://cve.report/software/admidio/admidio

Hello. I've seen multiple CVEs exist for this commercial open source at the URL above. So, when the vulnerabilities I discovered are patched, I would like to receive my first CVE.

Markus Faßbender marked this as fixed in 4.0.12 with commit 470f53 2 years ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

Markus Faßbender Markus

commented 2 years ago

Maintainer

Thank you for discovering that vulnerability!

Jamie Slome

commented 2 years ago

Admin

@fasse - the researcher for this (@wjddnjs33) has requested a CVE for this report. Are you happy for a CVE to be assigned and published for this?

Let me know! 👍

Markus Faßbender Markus

commented 2 years ago

Maintainer

There is an CVE here: https://github.com/Admidio/admidio/security/advisories/GHSA-3qgf-qgc3-42hh

Pocas

commented 2 years ago

Researcher

omg I got the my second CVE.. Thank you!

Pocas

commented 2 years ago

Researcher

Hello Markus Faßbender, Can you please update the CVE for this report?

Jamie Slome

commented 2 years ago

Admin

Sorted! 👍

to join this conversation

We are processing your report and will contact the admidio team within 24 hours. 2 years ago

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

Markus Faßbender validated this vulnerability 2 years ago

Pocas has been awarded the disclosure bounty

The fix bounty is now up for grabs

Pocas

commented 2 years ago

Researcher

https://www.cvedetails.com/vulnerability-list/vendor_id-8817/Admidio.html
https://cve.report/software/admidio/admidio

Hello. I've seen multiple CVEs exist for this commercial open source at the URL above. So, when the vulnerabilities I discovered are patched, I would like to receive my first CVE.