Cross-site Scripting (XSS) - Reflected in microweber/microweber

Valid

Reported on

Feb 20th 2022

Description

The endpoint https://demo.microweber.org/demo/admin/post/{id}/edit is vulnerable to cross site scripting. The "Edit source" field is affected.

Proof of Concept

  1. Login into https://demo.microweber.org
  2. Navigate to https://demo.microweber.org/demo/admin/post/25/edit
  3. click EditSource, and put this payload:

<img src=x onerror=alert(1)>

  1. and click Ok
  2. The xss payload will be executed.

Impact

Cross site scripting attacks can lead to account takeover via cookie stealing, temporary webpage deface, redirections etc.

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Bozhidar Slaveykov validated this vulnerability 2 years ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the microweber team. We will try again in 7 days. 2 years ago
Bozhidar Slaveykov marked this as fixed in 1.2.11 with commit 15e519 2 years ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
Bozhidar
2 years ago

Maintainer

We clean this xss on a backend

to join this conversation