Code Injection in microweber/microweber
Jan 2nd 2022
HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage.
Proof of Concept
1 Admin has enabled
Comments module, so that people can comment on a blog post.
2 Attacker post the following comment:
Now, observe the changes in the webpage: This html gets executed. The footer of webpage is striked out etc.
Attackers can change the structure of webpage using different tags like
Attackers can even hide the
Leave Comment button
This html code also executes in the admin panel when admin checks the comments on a post.
This endpoint only cleans XSS payloads and does not follow any process to clean html tags
No use of
clean_html function which is being used in AdminController@saveCommentEdit in Comments module.