Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Mar 9th 2022

Description

Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS.

(1) Settings > Taxes > Tax type

Proof of Concept

Step (1): Access https://demo.microweber.org/?template=dream

Step (2): Browse to Settings > Taxes > Tax type

Step (3): Add or Edit current tax and input legitimate value so as to capture legitimate request

Step (4): Modify the value of type parameter in the POST request body with below example, which is URL encoded:

"><img+src%3dx+onerror%3dalert(document.domain)>

image

Step (5): Forward the request after modification

An attack controlled alert box will be prompted whenever a user access this page, i.e. (Settings > Taxes > Tax type)

image

Impact

If an attacker can control a script that is executed in the victim's browser, they might compromise that user, in this case, an admin, by stealing its cookies.

We are processing your report and will contact the microweber team within 24 hours. a year ago
James Yeung modified the report
a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov validated this vulnerability a year ago
James Yeung has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit fc9137 a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation