Cross-site Scripting (XSS) - Stored in admidio/admidio


Reported on

Oct 14th 2021


Hello, Looking at your project, I saw in the commits several anti-CSRF token addition but also a commit to not allow SVG file upload.

However a blacklist in general is a bad idea, for example php, php3, ... are blocked but it is always possible to send a .php7 or .phps file ... Among the extensions that are not blocked, there is also .html2, this extension allows you to send a file with arbitrary content including Javascript to obtain a stored XSS.

From OWASP : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Proof of Concept

  1. On /adm_program/system/file_upload.php?module=documents_files&id=1 upload a file with .html2 extension and HTML/Javascript content
  2. Go to /adm_my_files/documents_test/test.html2 (Instead of going through the manager, we use the direct URL in order not to download the file as it would normally be the case)
  3. The file is opened and executed


In the version I'm using the anti-CSRF protection is not yet in place, but even with it, it would be possible to bypass it and perform malicious actions such as adding a new administrator.


I did not propose a fix with this report but I recommend to change this blacklist system by a whitelist system

We have contacted a member of the admidio team and are waiting to hear back 2 years ago
admidio/admidio maintainer
2 years ago


Thanks for the hint. We will implement a whitelist check within the next version.

admidio/admidio maintainer validated this vulnerability 2 years ago
JoMar has been awarded the disclosure bounty
The fix bounty is now up for grabs
admidio/admidio maintainer
2 years ago


This issue is fixed with version 4.0.10 which is just released. There we introduce a whitelist for file extensions.

Markus Faßbender marked this as fixed with commit cb51a9 2 years ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation