Cross-site Scripting (XSS) - Stored in microweber/microweber

Valid

Reported on

Feb 8th 2022

Description

There is a reflected XSS in creating and searching tag function . where any user can execute any malicious code results in the cookie stealing or Account takeover vulnerability

Steps to Produce:

Go to this particular URL URL
Click on live edit , Now In the tag section and select the exsisting tag and click on manage tags
Now , Click on the global tags tab and create a tag with the name as the following payload "><img src=x onerror=confirm(document.domain)>
Now , whoever using thebparticular tag the Malicious code will get executed

Proof of concept: Video-Proot-of-Concept

We are processing your report and will contact the microweber team within 24 hours. a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Bozhidar Slaveykov Bozhidar

commented a year ago

Maintainer

https://github.com/microweber/microweber/commit/14a1bb971bcb8b5456c2bf0020c3018907a2704d

Peter Ivanov validated this vulnerability a year ago

Nithissh12 has been awarded the disclosure bounty

The fix bounty is now up for grabs

Peter Ivanov marked this as fixed in 1.2.11 with commit 14a1bb a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation