Reflected XSS at upload file in admidio/admidio

Valid

Reported on

Jul 17th 2023

Description

1/ Access to the demo website and login (at this case I used user admin)

2/ At function upload photo to an album, try upload a file with the name is payload XSS.

3/ The payload will be triggered at error content.

Proof of Concept

Video PoC: https://drive.google.com/file/d/1FyK2Oko0bEEAUbUmDoxP4LAls_2uMqeD/view?usp=sharing

Impact

Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

We are processing your report and will contact the admidio team within 24 hours. 2 months ago

We have contacted a member of the admidio team and are waiting to hear back 2 months ago

Markus Faßbender Markus

commented 2 months ago

Maintainer

Could you please give an example of a file name that will execute at error. In your screenshot you show the result of the error message.

Chuu

commented 2 months ago

Researcher

hi @maintainer, I'm sorry for not providing the file name. Filename with payload XSS is "><img src=x onerror=alert('XSS')>

Markus Faßbender validated this vulnerability 2 months ago

Chuu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Markus Faßbender marked this as fixed in 4.2.11 with commit a9955b 2 months ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Aug 12th 2023

Markus Faßbender published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the admidio team within 24 hours. 2 months ago

We have contacted a member of the admidio team and are waiting to hear back 2 months ago

Markus Faßbender Markus

commented 2 months ago

Maintainer

Could you please give an example of a file name that will execute at error. In your screenshot you show the result of the error message.

Chuu

commented 2 months ago

Researcher

hi @maintainer, I'm sorry for not providing the file name. Filename with payload XSS is "><img src=x onerror=alert('XSS')>

Markus Faßbender validated this vulnerability 2 months ago

Chuu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Markus Faßbender marked this as fixed in 4.2.11 with commit a9955b 2 months ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Aug 12th 2023

Markus Faßbender published this vulnerability a month ago

to join this conversation