Cross-site Scripting (XSS) - Reflected in microweber/microweber
Jan 2nd 2022
PAYLOAD for firefox:
a' onafterscriptexecute=alert(document.domain) c='a (requires NO user-interaction)
PAYLOAD for all major browsers:
a' onclick=alert(document.domain) c='a (requires user-interaction)
NOTE: I'm using firefox, so I used the first payload in the PoC. You can refer to https://portswigger.net/web-security/cross-site-scripting/cheat-sheet to know which xss payloads can be triggered in other browsers
Proof of Concept
- On firefox browser, visit
XSS alert will pop-up showing the domain name.
- Steal CSRF token of the users and do any unintended actions on their behalf like buy a product etc.
and many more...
Hi thanks for report, we will fix it and post when its ready
Hi Peter, Please validate this vulnerability.
yes, it looks fixed.
Can you please
validate this bug? there will be a button on the right side on this report.