Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Dec 20th 2021


Description

When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. (If an administrator adds a menu, normal users can click it too.)

Proof of Concept

1. Open the https://www.admidio.org/demo_en
2. Log in as administrator
3. Go to https://www.admidio.org/demo_en/adm_program/modules/menu/menu_new.php
4. Fill in the field and pass javascript:alert(document.domain) as the URL value.
5. Click Saved Menu

Video : https://youtu.be/rvopFkFlfuw

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the admidio team within 24 hours. a month ago
Pocas
a month ago

Researcher


Hello! I discovered Stored XSS. Can you assign a CVE for this too? thank you!

Markus Faßbender validated this vulnerability a month ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Pocas
a month ago

Researcher


When will the status update be done?

Adam Nygate confirmed that a fix has been merged on 56a0bd a month ago
The fix bounty has been dropped
Adam Nygate
a month ago

Admin


Confirmed fixed with information from https://github.com/Admidio/admidio/issues/1138