Cross-site Scripting (XSS) - Stored in microweber/microweber
Jan 2nd 2022
Proof of Concept
1 Visit "Contact Us" page and put
<img src=asdasd onerror=alert(document.domain)> in
Message field. Click on
Send Message button.
2 Now, the admin opens the
Contact Us module in admin panel and attacker's xss payload will be executed.
- Steal CSRF token of the admins and do any unintended actions on their behalf like enable/disable a module, change website etc.
and many more...
Not cleaning xss payloads