Cross-site Scripting (XSS) - Stored in admidio/admidio


Reported on

Dec 20th 2021


When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. (If an administrator adds a menu, normal users can click it too.)

Proof of Concept

1. Open the
2. Log in as administrator
3. Go to
4. Fill in the field and pass javascript:alert(document.domain) as the URL value.
5. Click Saved Menu

Video :


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the admidio team within 24 hours. a month ago
a month ago


Hello! I discovered Stored XSS. Can you assign a CVE for this too? thank you!

Markus Faßbender validated this vulnerability a month ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
a month ago


When will the status update be done?

Adam Nygate confirmed that a fix has been merged on 56a0bd a month ago
The fix bounty has been dropped
Adam Nygate
a month ago


Confirmed fixed with information from