Reflected XSS in microweber in microweber/microweber

Valid

Reported on

Apr 28th 2022

Description

Hi there, In your latest version (1.2.15) docker here https://registry.hub.docker.com/r/microweber/microweber, i found an reflected xss endpoint: http://localhost/admin/view:content/action:settings?group=template&template param: template payload: shopmag"><ScRiPt%20>alert(document.cookie)</ScRiPt>

Proof of Concept

http://localhost/admin/view:content/action:settings?group=template&template=shopmag%22%3E%3CScRiPt%20%3Ealert(document.cookie)%3C/ScRiPt%3E

xss2.png

Impact

Execute Arbitrary JavaScript as the attacked user, steal admin cookie...

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov modified the Severity from Critical to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a year ago
Minh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.15 with commit 7f13d5 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Minh
a year ago

Researcher

@maintainer, could you please tell me why this bug is rated low Severity? seem not fair. other report on your project has the same attack vector, same impact and they have been rated high? for example: https://huntr.dev/bounties/16b0547b-1bb3-493c-8a00-5b6a11fca1c5/

Peter Ivanov
a year ago

Maintainer

Hi, this bug is low severity as it requires admin access

Minh
a year ago

Researcher

i dont agree with you, i dont need the admin privilege to exploit this vulnerability. in case admin login -> and i can trigger admin to click malicious link, i can steal admin's cookie. how do you caculate the CVSS to mark this as low severity?

to join this conversation