Cross-site Scripting (XSS) - Reflected in admidio/admidio

Valid

Reported on

Oct 18th 2021


Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

// PoC.js

Vuln Link --> https://www.admidio.org/demo_en/adm_program/modules/messages/messages_write.php?rol_id=1&subject=Login%20problems+xss%22%20autofocus/onfocus=%22alert(3)%22%20

Impact

This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

We have contacted a member of the admidio team and are waiting to hear back a month ago
We have contacted a member of the admidio team and are waiting to hear back a month ago
Markus Faßbender validated this vulnerability a month ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
0x9x
a month ago

Researcher


Thanks for updates!

Markus Faßbender confirmed that a fix has been merged on 246044 a month ago
Markus Faßbender has been awarded the fix bounty
Markus
a month ago

Maintainer


This is fixed with version 4.0.11 . Thanks for the research.