Unrestricted XML Files Leads to Stored XSS in microweber/microweber
Mar 12th 2022
The web Application restricts upload files by blacklist extensions. It's not safe for the application to prevent the attack, there are many extension can cause an attack to user and web application. By uploading XML files, the users can perform an Stored XSS attack
Proof of Concept
[1.] User login with his credential at: https://demo.microweber.org/demo/admin/
If an attacker can control a script that is executed in the victim's browser, they might compromise that user, in this case, an admin, by stealing its cookies.