Stored XSS on user "Write private message" function in admidio/admidio
Reported on
Jun 18th 2023
Description
An attacker can inject malicious executable scripts into the code of the message field.
Proof of Concept
Log in as a Member user, access Messages -> Write private message function for sending admin a message.COde
Insert this payload into the message field <p>test</p><script>prompt('1')</script> then click Send.
View the sent message and observed that the XSS payload was successfully executed.
Impact
Since the cookie used for sessions was set with the "HTTPonly" attribute, so the attacker can not hijack user sessions but still can carry out some malicious actions by manipulating XSS vulnerabilities, such as:
- Users are being redirected to a malicious website.
- Capturing keystrokes from users.
- Obtaining access to a user’s browsing history and clipboard contents.
- Execution of web browser-based exploits (e.g., crashing the browser).
- Influencing the users to submit requests to a server controlled by the attacker.
- Modifying the page’s content.
- Using deception to trick the victim into disclosing their password to the application or other applications.
- Using a security vulnerability in the web browser, infecting the victim with other malicious code, and potentially taking over the victim’s computer.
@maintainer please agree to this report can be assigned a CVE, since no bounty was given here so a CVE would be a huge motivation for the researcher's effort to make your product more secure.
Many thanks!