Cross-site scripting - DOM via view file function in microweber/microweber

Valid

Reported on

Apr 28th 2022

Description

In Modules -> Files, when click a file will have a popup and in URL will append select-file= fragment, so this fragment in url lead to XSS-DOM.

Proof of Concept

http://localhost/microweber/admin/view:modules/load_module:files#select-file=http://google.com.vn%3Cimg%20src%3dx%20onerror%3d%22alert(window.origin)%22%20x=/%3E

Poc image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

References

https://owasp.org/www-community/attacks/DOM_Based_XSS

We are processing your report and will contact the microweber team within 24 hours. a year ago

Nhien.IT modified the report

a year ago

Nhien.IT modified the report

a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov modified the Severity from High to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Peter Ivanov validated this vulnerability a year ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.2.15 with commit bd419c a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

Nhien.IT

commented a year ago

Researcher

Hi @maintainer,

Is this vulnerability CVE-ID signed?

Nhien.IT

commented a year ago

Researcher

Hi @admin,

Can i have CVE for this report?

Jamie Slome

commented a year ago

Admin

Typically, we won't assign CVEs to reports that have such low-security impact - however, if the maintainer is happy to assign and publish one, we can.

@maintainer - are you happy for a CVE to be assigned and published for this report?

Nhien.IT

commented a year ago

Researcher

Hi @admin @maintainer,

There's unfairness here, because in other report in microweber with same attack vector but it marked high severity, have bounty and CVE, but mine is not :). I am so sorry because i dont understand.

You can see at https://huntr.dev/bounties/d9f9b5bd-16f3-4eaa-9e36-d4958b557687/

Please consider for me

https://huntr.dev/bounties/eb8160a2-7984-42f1-aa30-bda60e1c6be7/
https://huntr.dev/bounties/95793a5a-7b81-4967-9730-a6667f129d26/

to join this conversation

We are processing your report and will contact the microweber team within 24 hours. a year ago

Nhien.IT modified the report

a year ago

Nhien.IT modified the report

a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov modified the Severity from High to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Peter Ivanov validated this vulnerability a year ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.2.15 with commit bd419c a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

Nhien.IT

commented a year ago

Researcher

Hi @maintainer,

Is this vulnerability CVE-ID signed?

Nhien.IT

commented a year ago

Researcher

Hi @admin,

Can i have CVE for this report?

Jamie Slome

commented a year ago

Admin

Typically, we won't assign CVEs to reports that have such low-security impact - however, if the maintainer is happy to assign and publish one, we can.

@maintainer - are you happy for a CVE to be assigned and published for this report?

Nhien.IT

commented a year ago

Researcher

Hi @admin @maintainer,

There's unfairness here, because in other report in microweber with same attack vector but it marked high severity, have bounty and CVE, but mine is not :). I am so sorry because i dont understand.

You can see at https://huntr.dev/bounties/d9f9b5bd-16f3-4eaa-9e36-d4958b557687/

Please consider for me

https://huntr.dev/bounties/eb8160a2-7984-42f1-aa30-bda60e1c6be7/
https://huntr.dev/bounties/95793a5a-7b81-4967-9730-a6667f129d26/

to join this conversation