Cross-site Scripting (XSS) - Stored on Translations in microweber/microweber


Reported on

Aug 13th 2022


Translations are vulnerable to Cross-Site Scripting.

Steps to reproduce

1 - Go to Website -> Settings

2 - Click on Languages

3 - Fill any field to be translated with an XSS payload : "><iframe onload=confirm(document.domain)>.

4 - XSS popup will appear.

Proof of concept


Stealing Admin Cookies

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov modified the Severity from Medium to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a year ago
Amine has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.1 with commit 265ff4 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation