Cross-site Scripting (XSS) - Reflected in microweber/microweber

Valid

Reported on

Feb 19th 2022

Description

Hi, The endpoint https://demo.microweber.org/demo/admin/page is vulnerable to Cross Site Scripting.

Proof of Concept

  1. just navigate to the poc url: https://demo.microweber.org/demo/admin/page/8tojh1%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22yrr2n/edit

  2. now move your mouse on the page, you will see a xss popup.

(login if site asks)

Impact

Cross site scripting attacks can lead to account takeover via cookie stealing, temporary site deface, redirecting users to attackers controlled sites etc.

We are processing your report and will contact the microweber team within 24 hours. a year ago
Peter Ivanov validated this vulnerability a year ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit f7f5d4 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation