Cross-site Scripting (XSS) - Reflected in admidio/admidio

Valid

Reported on

Oct 18th 2021

Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

// PoC.js

Vuln Link --> https://www.admidio.org/demo_en/adm_program/modules/messages/messages_write.php?rol_id=1&subject=Login%20problems+xss%22%20autofocus/onfocus=%22alert(3)%22%20

Impact

This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

Markus Faßbender validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

0x9x

commented 2 years ago

Researcher

Thanks for updates!

Markus Faßbender marked this as fixed with commit 246044 2 years ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

Markus Faßbender Markus

commented 2 years ago

Maintainer

This is fixed with version 4.0.11 . Thanks for the research.

to join this conversation

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

Markus Faßbender validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

0x9x

commented 2 years ago

Researcher

Thanks for updates!

Markus Faßbender marked this as fixed with commit 246044 2 years ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

Markus Faßbender Markus

commented 2 years ago

Maintainer

This is fixed with version 4.0.11 . Thanks for the research.

to join this conversation