We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Dec 20th 2021

Description

When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. (If an administrator adds a menu, normal users can click it too.)

Proof of Concept

1. Open the https://www.admidio.org/demo_en
2. Log in as administrator
3. Go to https://www.admidio.org/demo_en/adm_program/modules/menu/menu_new.php
4. Fill in the field and pass javascript:alert(document.domain) as the URL value.
5. Click Saved Menu

Video : https://youtu.be/rvopFkFlfuw

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the admidio team within 24 hours. 2 years ago
Pocas
2 years ago

Researcher

Hello! I discovered Stored XSS. Can you assign a CVE for this too? thank you!

Markus Faßbender validated this vulnerability 2 years ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Pocas
2 years ago

Researcher

When will the status update be done?

Adam Nygate marked this as fixed in 4.0.13 with commit 56a0bd 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Adam Nygate
2 years ago

Admin

Confirmed fixed with information from https://github.com/Admidio/admidio/issues/1138

to join this conversation