Reflected XSS in microweber/microweber

Valid

Reported on

Apr 28th 2022

Description

Bypass XSS filter on /module/

Proof of Concept

https://demo.microweber.org/demo/module/?module=admin%2Fmodules%2Fmanage&id=x"draggable="true"ondragexit=alert(1)&class=x&from_url=x

Drag something around to trigger the XSS. Might only work in FireFox.

How to fix

This is still CVE-2022-1439 basically.
I can break out of these html attributes, this time I use another parameter cuz I need a valid ?module= to get some html elements which I need to trigger this event handler, but the core bug is the same.

This affects many parameters on /module/ you can even define your own and they'll be appended as html attribs. You can not allow breaking out of these with quotes.

Maybe you can just replace " and ' here like < and >.

Impact

Executing JavaScript as the victim

We are processing your report and will contact the microweber team within 24 hours. a year ago

Finn Westendorf modified the report

a year ago

Finn Westendorf

commented a year ago

Researcher

https://demo.microweber.org/demo/module/?module=x%22draggable=%22true%22ondragexit=alert(1)&id=x&class=x&from_url=x&style=width:100%25;height:100

For the record here's the same bypass in the same old "module" parameter, but you have to drag somethibg else over it, e.g. a bookmark.

We have contacted a member of the microweber team and are waiting to hear back a year ago

We have sent a follow up to the microweber team. We will try again in 7 days. a year ago

Peter Ivanov validated this vulnerability a year ago

Finn Westendorf has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.2.16 with commit 527abd a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation