Reflected XSS in microweber in microweber/microweber

Valid

Reported on

Apr 28th 2022


Description

Hi there, In your latest version (1.2.15) docker here https://registry.hub.docker.com/r/microweber/microweber, i found an reflected xss endpoint: http://localhost/admin/view:content/action:settings?group=template&template param: template payload: shopmag"><ScRiPt%20>alert(document.cookie)</ScRiPt>

Proof of Concept

http://localhost/admin/view:content/action:settings?group=template&template=shopmag%22%3E%3CScRiPt%20%3Ealert(document.cookie)%3C/ScRiPt%3E

xss2.png

Impact

Execute Arbitrary JavaScript as the attacked user, steal admin cookie...

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back 25 days ago
Peter Ivanov modified the Severity from Critical to Low 25 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 25 days ago
minhnb has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 7f13d5 25 days ago
Peter Ivanov has been awarded the fix bounty
minhnb
25 days ago

Researcher


@maintainer, could you please tell me why this bug is rated low Severity? seem not fair. other report on your project has the same attack vector, same impact and they have been rated high? for example: https://huntr.dev/bounties/16b0547b-1bb3-493c-8a00-5b6a11fca1c5/

Peter Ivanov
21 days ago

Hi, this bug is low severity as it requires admin access

minhnb
21 days ago

Researcher


i dont agree with you, i dont need the admin privilege to exploit this vulnerability. in case admin login -> and i can trigger admin to click malicious link, i can steal admin's cookie. how do you caculate the CVSS to mark this as low severity?

to join this conversation