Stored XSS on user "Edit own profile" function in admidio/admidio

Valid

Reported on

Jun 18th 2023

Description

An attacker can inject malicious executable scripts into the code of the Social media field

Proof of Concept

Log in as a Member user, access My profile -> Edit own profile function, insert this payload to any field " autofocus onfocus=prompt(document.domain)> then click Save.

Access the Edit own profile function again and the payload will be triggered.

It also affects the administrator if he accesses the user profile by the link of the user. https://www.admidio.org/demo_en/adm_program/modules/profile/profile_new.php?user_uuid=ef886dfb-25f2-4e76-a1cc-59711183ba40

Impact

Since the cookie used for sessions was set with the "HTTPonly" attribute, so the attacker can not hijack user sessions but still can carry out some malicious actions by manipulating XSS vulnerabilities, such as:

Users are being redirected to a malicious website.
Capturing keystrokes from users.
Obtaining access to a user’s browsing history and clipboard contents.
Execution of web browser-based exploits (e.g., crashing the browser).
Influencing the users to submit requests to a server controlled by the attacker.
Modifying the page’s content.
Using deception to trick the victim into disclosing their password to the application or other applications.
Using a security vulnerability in the web browser, infecting the victim with other malicious code, and potentially taking over the victim’s computer.

We are processing your report and will contact the admidio team within 24 hours. 3 months ago

hiu240900 modified the report

3 months ago

We have contacted a member of the admidio team and are waiting to hear back 3 months ago

Markus Faßbender validated this vulnerability 3 months ago

hiu240900 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Markus Faßbender marked this as fixed in 4.2.10 with commit f806a8 3 months ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Jul 16th 2023

hiu240900

commented 3 months ago

Researcher

@maintainer I saw the fix, could a CVE be assigned for this report?

hiu240900

commented 3 months ago

Researcher

@maintainer please agree to this report can be assigned a CVE, since no bounty was given here so a CVE would be a huge motivation for the researcher's effort to make your product more secure.

Many thanks!

Markus Faßbender published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the admidio team within 24 hours. 3 months ago

hiu240900 modified the report

3 months ago

We have contacted a member of the admidio team and are waiting to hear back 3 months ago

Markus Faßbender validated this vulnerability 3 months ago

hiu240900 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Markus Faßbender marked this as fixed in 4.2.10 with commit f806a8 3 months ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Jul 16th 2023

hiu240900

commented 3 months ago

Researcher

@maintainer I saw the fix, could a CVE be assigned for this report?

hiu240900

commented 3 months ago

Researcher

@maintainer please agree to this report can be assigned a CVE, since no bounty was given here so a CVE would be a huge motivation for the researcher's effort to make your product more secure.

Many thanks!

Markus Faßbender published this vulnerability 2 months ago

to join this conversation