Reflected XSS on /api/module in microweber/microweber

Valid

Reported on

Jun 21st 2022


Description

Reflected XSS via filter bypass on /api/module using type= parameter.

Proof of Concept

https://demo.microweber.org/demo/api/module?type=</script><script>alert("xss")</script>&live_edit=true&from_url=test

The value of the "type" parameter is injected into the source code of the page at line 63. Since the value of the "type" parameter is not sanitized, it is possible to close the div tag with ' </script> ' and then put javascript code.

Impact

Execute arbitrary JavaScript code with the privileges of the victim's user. This can be used for cookie stealing (account takeover), for example.

We are processing your report and will contact the microweber team within 24 hours. 5 days ago
We have contacted a member of the microweber team and are waiting to hear back 4 days ago
Peter Ivanov validated this vulnerability 4 days ago
jhond0e has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on c51285 4 days ago
Peter Ivanov has been awarded the fix bounty
to join this conversation