Admidio Reflected Cross-Site Scripting Vulnerability in msg_window.php

A reflected cross-site scripting vulnerability has been identified in Admidio versions prior to 5.0.9. The issue allows an unauthenticated attacker to execute arbitrary JavaScript in the browser of any Admidio user. This vulnerability arises in the system/msg_window.php file, where user input is not properly sanitized before being processed. The endpoint uses htmlspecialchars() to encode certain characters, but this function does not handle square brackets. Subsequently, the Language::prepareTextPlaceholders() function converts these brackets into HTML angle brackets, creating executable script tags. The vulnerability has been patched in Admidio version 5.0.9.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser session. This could lead to theft of session cookies, unauthorized actions performed on behalf of the victim, or redirection to phishing sites.

Reproduction

To reproduce this vulnerability, send a GET request to the system/msg_window.php endpoint with a crafted message_var1 parameter that includes square brackets, such as '[script]alert(document.domain)[/script]'. The server will respond with a page that executes the JavaScript in the context of the user's browser.

Remediation

Users are advised to update to Admidio version 5.0.9, where this vulnerability has been fixed.