Cross-site Scripting (XSS) - Stored on Translations in microweber/microweber

Valid

Reported on

Aug 13th 2022

Description

Translations are vulnerable to Cross-Site Scripting.

1 - Go to Website -> Settings

2 - Click on Languages

3 - Fill any field to be translated with an XSS payload : "><iframe onload=confirm(document.domain)>.

4 - XSS popup will appear.

https://drive.google.com/drive/folders/1oensm1PLCekuN4Inw6u_ZiZQ2gNMasp8?usp=sharing

Stealing Admin Cookies

We are processing your report and will contact the microweber team within 24 hours. a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov modified the Severity from Medium to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Peter Ivanov validated this vulnerability a year ago

Amine has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.3.1 with commit 265ff4 a year ago

This vulnerability will not receive a CVE

to join this conversation