HTML Injection on Settings/Template in microweber/microweber
Valid
Reported on
Mar 10th 2023
Description
Found HTML Injection on Template module on Settings.
Proof of Concept
- Login as Administrator and go to Settings.
- On under Website Settings, go to Template.
- Specifically, to this URL - https://demo.microweber.org/demo/admin/view:content/action:settings?group=template
- Then copy paste the payload in the URL, Payload - &template="><h1>Testing</h1><p style="color:red"></p><
- You will see the payload injected in the webpage and the font colors changed.
ScreenShot
https://drive.google.com/file/d/1ie8RK4MgWXAbOdkWhyIkjGID9srwb0Sg/view?usp=share_link
Impact
Injection Attacks
We are processing your report and will contact the
microweber
team within 24 hours.
2 months ago
cyberneticsplus modified the report
2 months ago
cyberneticsplus modified the report
2 months ago
We have contacted a member of the
microweber
team and are waiting to hear back
2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The researcher's credibility has increased: +7
Peter Ivanov
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Apr 13th 2023
to join this conversation