Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Mar 9th 2022


Description

Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS.

(1) Settings > Taxes > Tax type

Proof of Concept

Step (1): Access https://demo.microweber.org/?template=dream

Step (2): Browse to Settings > Taxes > Tax type

Step (3): Add or Edit current tax and input legitimate value so as to capture legitimate request

Step (4): Modify the value of type parameter in the POST request body with below example, which is URL encoded:

"><img+src%3dx+onerror%3dalert(document.domain)>

image

Step (5): Forward the request after modification

An attack controlled alert box will be prompted whenever a user access this page, i.e. (Settings > Taxes > Tax type)

image

Impact

If an attacker can control a script that is executed in the victim's browser, they might compromise that user, in this case, an admin, by stealing its cookies.

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
James Yeung modified the report
3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar Slaveykov validated this vulnerability 3 months ago
James Yeung has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov confirmed that a fix has been merged on fc9137 3 months ago
Bozhidar Slaveykov has been awarded the fix bounty
to join this conversation