Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Dec 20th 2021


Description

When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. (If an administrator adds a menu, normal users can click it too.)

Proof of Concept

1. Open the https://www.admidio.org/demo_en
2. Log in as administrator
3. Go to https://www.admidio.org/demo_en/adm_program/modules/menu/menu_new.php
4. Fill in the field and pass javascript:alert(document.domain) as the URL value.
5. Click Saved Menu

Video : https://youtu.be/rvopFkFlfuw

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the admidio team within 24 hours. a year ago
Pocas
a year ago

Researcher


Hello! I discovered Stored XSS. Can you assign a CVE for this too? thank you!

Markus Faßbender validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Pocas
a year ago

Researcher


When will the status update be done?

Adam Nygate marked this as fixed in 4.0.13 with commit 56a0bd a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Adam Nygate
a year ago

Admin


Confirmed fixed with information from https://github.com/Admidio/admidio/issues/1138

to join this conversation