Cross-site Scripting (XSS) - Stored in admidio/admidioValid
Jan 4th 2022
I can create links using the Web links feature. However, since the input value is not URL-encoded, the onfocus and autofocus properties can be used by escaping the properties of the "A" tag using double quotation marks (").
Proof of Concept
1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php and Login 2. Go to "Web-Link" > "Create new link" 3. Fill in all the input values, enter the above PoC as the value of the Link address, and save it. 4. Click on the saved link Video : https://www.youtube.com/watch?v=9TZZwSixeCc
Through this vulnerability, an attacker is capable to execute malicious scripts.