Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Feb 8th 2022


Description

There is a reflected XSS in creating and searching tag function . where any user can execute any malicious code results in the cookie stealing or Account takeover vulnerability

Steps to Produce:

  • Go to this particular URL URL
  • Click on live edit , Now In the tag section and select the exsisting tag and click on manage tags
  • Now , Click on the global tags tab and create a tag with the name as the following payload "><img src=x onerror=confirm(document.domain)>
  • Now , whoever using thebparticular tag the Malicious code will get executed

Proof of concept: Video-Proot-of-Concept

We are processing your report and will contact the microweber team within 24 hours. 4 months ago
We have contacted a member of the microweber team and are waiting to hear back 4 months ago
Bozhidar
4 months ago

Maintainer


https://github.com/microweber/microweber/commit/14a1bb971bcb8b5456c2bf0020c3018907a2704d

Peter Ivanov validated this vulnerability 4 months ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 14a1bb 4 months ago
Peter Ivanov has been awarded the fix bounty
to join this conversation