Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Jan 2nd 2022

Description

Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage.

Proof of Concept

1 Visit "Contact Us" page and put <img src=asdasd onerror=alert(document.domain)> in Message field. Click on Send Message button.

2 Now, the admin opens the Contact Us module in admin panel and attacker's xss payload will be executed.

Impact

The attacker can execute any arbitrary javascript code and acheive the following:

  1. Steal CSRF token of the admins and do any unintended actions on their behalf like enable/disable a module, change website etc.
  2. Execute malicious javascript e.g. crypto miners

and many more...

Occurrences

Not cleaning xss payloads

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
We have sent a follow up to the microweber team. We will try again in 7 days. a year ago
We have sent a second follow up to the microweber team. We will try again in 10 days. a year ago
Bozhidar
a year ago

Maintainer

its fixed

Bozhidar
a year ago

Maintainer

https://github.com/microweber/microweber/commit/b64ef574b82dbf89a908e1569d790c7012d1ccd7

Peter Ivanov validated this vulnerability a year ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit b64ef5 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
FormsManager.php#L137-L794 has been validated
to join this conversation