Xss vulnerability in Button module in microweber/microweber

Valid

Reported on

Sep 29th 2022


Steps

1.Visit https://demo.microweber.org

2.Click option 'Modules' in the left list

3.Click and go into the 'Button'

4.Click the 'edit url' and Enter the following

><script>alert(1)

Proof of Concept Video

https://1drv.ms/v/s!Ai0UEGpMIb9scRgdvmX1sBCQu4A

Impact

  1. Phishing, including obtaining various user accounts

  2. Steal the user's cookies to obtain the user's privacy information, or use the user's identity to further operate the website;

  3. Hijacking user (browser) sessions to perform arbitrary operations, such as illegal transfer, forced posting of logs, e-mail, etc

  4. Forced pop up of advertising pages, traffic, etc

  5. Web hanging horse;

  6. Conduct malicious operations, such as arbitrarily tampering with page information, deleting articles, etc

  7. Carry out a large number of client attacks, such as ddos

  8. Obtain client information, such as user's browsing history, real p, open port, etc

  9. Control the victim's machine to attack other websites;

  10. Implement progress hazards in combination with other vulnerabilities, such as csrf;

  11. Improve user rights, including further penetration of the website

  12. Propagating cross site scripting worms, etc

We are processing your report and will contact the microweber team within 24 hours. 7 months ago
Christy__ modified the report
7 months ago
We have contacted a member of the microweber team and are waiting to hear back 7 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the microweber team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the microweber team. This report is now considered stale. 7 months ago
Peter Ivanov validated this vulnerability 5 months ago
Christy__ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.2 with commit 20df56 5 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 20th 2022
Christy__
3 months ago

Researcher


hi,@admin,@Maintainer,can you assign a cve for this bug?

Ben Harvie published this vulnerability 3 months ago
Ben Harvie
3 months ago

Admin


Unfortunately, we had a bug and this report was stuck, the report has now been published and CVE assigned as requested. Thanks:)

to join this conversation