search

Admidio / admidio

Admidio is a free open source user management system for websites of organizations and groups. The system has a flexible role model so that it’s possible to reflect the structure and permissions of your organization.
https://www.admidio.org
GNU General Public License v2.0
336 stars 131 forks source link

XSS possible within profile fields that contains urls #1144

Closed Fasse closed 2 years ago

Fasse commented 2 years ago

When editing your profile, you can create social media links. However, the stored XSS vulnerability using the autofocus and onfocus attributes occurs because the double-quote is not URL-encoded in the input value of the social media link.

  1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php and Login as to member
  2. Go to "My Profile" -> "Edit Profile"
  3. In the FaceBook URL field, type asdf" autofocus onfocus="alert(document.domain) and save.
  4. Now, whenever an administrator or general user accesses my profile, XSS occurs.
P0cas commented 2 years ago

Hello @Fasse . Thank you for patch, And maintainer, can you assign 2 CVEs to the vulnerabilities for the above 2 URLs?