Reflected XSS on in microweber/microweber


Reported on

Apr 21st 2022


Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters.

Proof of Concept'ont<a>ransitionend=alert(1)'"tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&from_url=

Press tab for the alert() to show up.

Okay 3 things to unpack here:

  • " and ' at various places allow breaking out of the html (root cause of the XSS)
  • ont<x>ransitionend gets sanitized to ontransitionend and bypasses the xss filter
  • style="transition:outline 1s" tabindex=1 is the setup you need to trigger a transition without a <style> tag

Took me some time to finally find a XSS payload that runs here :)

I'd suggest you do not allow breaking out of the html here, so filter ' & ". ont<x>ansitionend should be examined, this trick doesn't work in every parameter. Additionally, some js eventhandlers are allowed e.g. onunhandledrejection, you could think about a on.*= regex.


Execute Arbitrary JavaScript as the attacked user.

It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.


We are processing your report and will contact the microweber team within 24 hours. a year ago
Finn Westendorf modified the report
a year ago
Finn Westendorf modified the report
a year ago
Finn Westendorf modified the report
a year ago
Finn Westendorf
a year ago


So the trick actually was the onev<x>nthandler in the module parameter, the transition is not needed, e.g. above I use onmouseover. The html is very different from when a valid value of the module parameter is used.

<div class='x module module-'onmouseover=alert(1) '   tabindex="1"   style="width:100%;height:100%;"   id="x"   data-show-ui="admin"   from_url=""   data-type="'onmouseover=alert(1)"   parent-module="'onmouseover=alert(1)"   parent-module-id="x"  ></div>
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov validated this vulnerability a year ago
Finn Westendorf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.15 with commit ad3928 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation