HTML Injection on Settings/Template in microweber/microweber

Valid

Reported on

Mar 10th 2023


Description

Found HTML Injection on Template module on Settings.

Proof of Concept

  1. Login as Administrator and go to Settings.
  2. On under Website Settings, go to Template.
  3. Specifically, to this URL - https://demo.microweber.org/demo/admin/view:content/action:settings?group=template
  4. Then copy paste the payload in the URL, Payload - &template="><h1>Testing</h1><p style="color:red"></p><
  5. You will see the payload injected in the webpage and the font colors changed.

ScreenShot

https://drive.google.com/file/d/1ie8RK4MgWXAbOdkWhyIkjGID9srwb0Sg/view?usp=share_link

Impact

Injection Attacks

We are processing your report and will contact the microweber team within 24 hours. 2 months ago
cyberneticsplus modified the report
2 months ago
cyberneticsplus modified the report
2 months ago
We have contacted a member of the microweber team and are waiting to hear back 2 months ago
Peter Ivanov modified the Severity from High (7.6) to Medium (5.3) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 2 months ago
cyberneticsplus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.3 with commit 1a9b90 2 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 13th 2023
cyberneticsplus
2 months ago

Researcher


Thank you for the quick fix and update.

Peter Ivanov published this vulnerability a month ago
to join this conversation