Code Injection in microweber/microweber

Valid

Reported on

Jan 2nd 2022

Description

HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage.

Proof of Concept

1 Admin has enabled Comments module, so that people can comment on a blog post. 2 Attacker post the following comment:

<s><marquee><h1>SOMETHING+SOMETHING

Now, observe the changes in the webpage: This html gets executed. The footer of webpage is striked out etc.

Impact

Attackers can change the structure of webpage using different tags like <marquee>, <h1>, <center>, <s> etc. Attackers can even hide the Leave Comment button This html code also executes in the admin panel when admin checks the comments on a post.

Occurrences

This endpoint only cleans XSS payloads and does not follow any process to clean html tags No use of clean_html function which is being used in AdminController@saveCommentEdit in Comments module.

We are processing your report and will contact the microweber team within 24 hours. a year ago
Rohan Sharma modified the report
a year ago
Rohan Sharma modified the report
a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
We have sent a follow up to the microweber team. We will try again in 7 days. a year ago
We have sent a second follow up to the microweber team. We will try again in 10 days. a year ago
Bozhidar
a year ago

Maintainer

https://github.com/microweber/microweber/commit/51b5a4e3ef01e587797c0109159a8ad9d2bac77a

Bozhidar
a year ago

Maintainer

https://github.com/microweber/microweber/commit/6e9fcaa043b4211ef21a494f9892dd19ba8a572c

Bozhidar
a year ago

Maintainer

done

Peter Ivanov validated this vulnerability a year ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 51b5a4 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation