Xss vulnerability in Button module in microweber/microweber

Valid

Reported on

Sep 29th 2022

Steps

1.Visit https://demo.microweber.org

2.Click option 'Modules' in the left list

3.Click and go into the 'Button'

4.Click the 'edit url' and Enter the following

><script>alert(1)

Proof of Concept Video

https://1drv.ms/v/s!Ai0UEGpMIb9scRgdvmX1sBCQu4A

Impact

Phishing, including obtaining various user accounts
Steal the user's cookies to obtain the user's privacy information, or use the user's identity to further operate the website;
Hijacking user (browser) sessions to perform arbitrary operations, such as illegal transfer, forced posting of logs, e-mail, etc
Forced pop up of advertising pages, traffic, etc
Web hanging horse;
Conduct malicious operations, such as arbitrarily tampering with page information, deleting articles, etc
Carry out a large number of client attacks, such as ddos
Obtain client information, such as user's browsing history, real p, open port, etc
Control the victim's machine to attack other websites;
Implement progress hazards in combination with other vulnerabilities, such as csrf;
Improve user rights, including further penetration of the website
Propagating cross site scripting worms, etc

We are processing your report and will contact the microweber team within 24 hours. a year ago

Christy__ modified the report

a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

We have sent a follow up to the microweber team. We will try again in 7 days. a year ago

We have sent a second follow up to the microweber team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the microweber team. This report is now considered stale. a year ago

Peter Ivanov validated this vulnerability a year ago

Christy__ has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.3.2 with commit 20df56 a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Dec 20th 2022

Christy__

commented 10 months ago

Researcher

hi,@admin,@Maintainer,can you assign a cve for this bug?

Ben Harvie published this vulnerability 10 months ago

Ben Harvie

commented 10 months ago

Admin

Unfortunately, we had a bug and this report was stuck, the report has now been published and CVE assigned as requested. Thanks:)

to join this conversation

We are processing your report and will contact the microweber team within 24 hours. a year ago

Christy__ modified the report

a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

We have sent a follow up to the microweber team. We will try again in 7 days. a year ago

We have sent a second follow up to the microweber team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the microweber team. This report is now considered stale. a year ago

Peter Ivanov validated this vulnerability a year ago

Christy__ has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.3.2 with commit 20df56 a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Dec 20th 2022

Christy__

commented 10 months ago

Researcher

hi,@admin,@Maintainer,can you assign a cve for this bug?

Ben Harvie published this vulnerability 10 months ago

Ben Harvie

commented 10 months ago

Admin

Unfortunately, we had a bug and this report was stuck, the report has now been published and CVE assigned as requested. Thanks:)

to join this conversation