Cross-site Scripting (XSS) - Stored on Translations in microweber/microweber

Valid

Reported on

Aug 13th 2022


Description

Translations are vulnerable to Cross-Site Scripting.

Steps to reproduce

1 - Go to Website -> Settings

2 - Click on Languages

3 - Fill any field to be translated with an XSS payload : "><iframe onload=confirm(document.domain)>.

4 - XSS popup will appear.

Proof of concept

https://drive.google.com/drive/folders/1oensm1PLCekuN4Inw6u_ZiZQ2gNMasp8?usp=sharing

Impact

Stealing Admin Cookies

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov modified the Severity from Medium to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a month ago
Amine has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 265ff4 a month ago
Peter Ivanov has been awarded the fix bounty
to join this conversation