Code Injection in microweber/microweber

Valid

Reported on

Jan 2nd 2022


Description

HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage.

Proof of Concept

1 Admin has enabled Comments module, so that people can comment on a blog post. 2 Attacker post the following comment:

<s><marquee><h1>SOMETHING+SOMETHING

Now, observe the changes in the webpage: This html gets executed. The footer of webpage is striked out etc.

Impact

Attackers can change the structure of webpage using different tags like <marquee>, <h1>, <center>, <s> etc. Attackers can even hide the Leave Comment button This html code also executes in the admin panel when admin checks the comments on a post.

Occurrences

This endpoint only cleans XSS payloads and does not follow any process to clean html tags No use of clean_html function which is being used in AdminController@saveCommentEdit in Comments module.

We are processing your report and will contact the microweber team within 24 hours. 5 months ago
Rohan Sharma modified the report
5 months ago
Rohan Sharma modified the report
5 months ago
We have contacted a member of the microweber team and are waiting to hear back 5 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the microweber team. We will try again in 10 days. 4 months ago
Bozhidar
4 months ago

Maintainer


https://github.com/microweber/microweber/commit/51b5a4e3ef01e587797c0109159a8ad9d2bac77a

Bozhidar
4 months ago

Maintainer


https://github.com/microweber/microweber/commit/6e9fcaa043b4211ef21a494f9892dd19ba8a572c

Bozhidar
4 months ago

Maintainer


done

Peter Ivanov validated this vulnerability 4 months ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 51b5a4 4 months ago
Peter Ivanov has been awarded the fix bounty
to join this conversation