Cross-site Scripting (XSS) - Reflected in microweber/microweber

Valid

Reported on

Feb 20th 2022


Description

The endpoint https://demo.microweber.org/demo/admin/post/{id}/edit is vulnerable to cross site scripting. The "Edit source" field is affected.

Proof of Concept

  1. Login into https://demo.microweber.org
  2. Navigate to https://demo.microweber.org/demo/admin/post/25/edit
  3. click EditSource, and put this payload:

<img src=x onerror=alert(1)>

  1. and click Ok
  2. The xss payload will be executed.

Impact

Cross site scripting attacks can lead to account takeover via cookie stealing, temporary webpage deface, redirections etc.

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar Slaveykov validated this vulnerability 3 months ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the microweber team. We will try again in 7 days. 3 months ago
Bozhidar Slaveykov confirmed that a fix has been merged on 15e519 3 months ago
Bozhidar Slaveykov has been awarded the fix bounty
Bozhidar
3 months ago

Maintainer


We clean this xss on a backend

to join this conversation