Cross-site Scripting (XSS) - Reflected in microweber/microweber
Reported on
Feb 20th 2022
Description
The endpoint https://demo.microweber.org/demo/admin/post/{id}/edit is vulnerable to cross site scripting. The "Edit source" field is affected.
Proof of Concept
- Login into https://demo.microweber.org
- Navigate to https://demo.microweber.org/demo/admin/post/25/edit
- click EditSource, and put this payload:
<img src=x onerror=alert(1)>
- and click Ok
- The xss payload will be executed.
Impact
Cross site scripting attacks can lead to account takeover via cookie stealing, temporary webpage deface, redirections etc.