HTML Injection on Settings/Template in microweber/microweber

Valid

Reported on

Mar 10th 2023


Description

Found HTML Injection on Template module on Settings.

Proof of Concept

  1. Login as Administrator and go to Settings.
  2. On under Website Settings, go to Template.
  3. Specifically, to this URL - https://demo.microweber.org/demo/admin/view:content/action:settings?group=template
  4. Then copy paste the payload in the URL, Payload - &template="><h1>Testing</h1><p style="color:red"></p><
  5. You will see the payload injected in the webpage and the font colors changed.

ScreenShot

https://drive.google.com/file/d/1ie8RK4MgWXAbOdkWhyIkjGID9srwb0Sg/view?usp=share_link

Impact

Injection Attacks

We are processing your report and will contact the microweber team within 24 hours. a year ago
cyberneticsplus modified the report
a year ago
cyberneticsplus modified the report
a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov modified the Severity from High (7.6) to Medium (5.3) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a year ago
cyberneticsplus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.3 with commit 1a9b90 a year ago
Peter Ivanov has been awarded the fix bounty
cyberneticsplus
a year ago

Researcher


Thank you for the quick fix and update.

This vulnerability has now been published a year ago
to join this conversation