Cross-site Scripting (XSS) - Stored in admidio/admidio
Dec 20th 2021
When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. (If an administrator adds a menu, normal users can click it too.)
Proof of Concept
Through this vulnerability, an attacker is capable to execute malicious scripts.