Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Jan 2nd 2022


Description

Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage.

Proof of Concept

1 Visit "Contact Us" page and put <img src=asdasd onerror=alert(document.domain)> in Message field. Click on Send Message button.

2 Now, the admin opens the Contact Us module in admin panel and attacker's xss payload will be executed.

Impact

The attacker can execute any arbitrary javascript code and acheive the following:

  1. Steal CSRF token of the admins and do any unintended actions on their behalf like enable/disable a module, change website etc.
  2. Execute malicious javascript e.g. crypto miners

and many more...

Occurrences

Not cleaning xss payloads

We are processing your report and will contact the microweber team within 24 hours. 5 months ago
We have contacted a member of the microweber team and are waiting to hear back 5 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the microweber team. We will try again in 10 days. 4 months ago
Bozhidar
4 months ago

Maintainer


its fixed

Bozhidar
4 months ago

Maintainer


https://github.com/microweber/microweber/commit/b64ef574b82dbf89a908e1569d790c7012d1ccd7

Peter Ivanov validated this vulnerability 4 months ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on b64ef5 4 months ago
Peter Ivanov has been awarded the fix bounty
FormsManager.php#L137-L794 has been validated
to join this conversation