Cross-site Scripting (XSS) - Stored in microweber/microweber


Reported on

Feb 8th 2022


There is a reflected XSS in creating and searching tag function . where any user can execute any malicious code results in the cookie stealing or Account takeover vulnerability

Steps to Produce:

  • Go to this particular URL URL
  • Click on live edit , Now In the tag section and select the exsisting tag and click on manage tags
  • Now , Click on the global tags tab and create a tag with the name as the following payload "><img src=x onerror=confirm(document.domain)>
  • Now , whoever using thebparticular tag the Malicious code will get executed

Proof of concept: Video-Proot-of-Concept

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
a year ago


Peter Ivanov validated this vulnerability a year ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 14a1bb a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation