Reflected XSS on /api/module in microweber/microweber


Reported on

Jun 21st 2022


Reflected XSS via filter bypass on /api/module using type= parameter.

Proof of Concept</script><script>alert("xss")</script>&live_edit=true&from_url=test

The value of the "type" parameter is injected into the source code of the page at line 63. Since the value of the "type" parameter is not sanitized, it is possible to close the div tag with ' </script> ' and then put javascript code.


Execute arbitrary JavaScript code with the privileges of the victim's user. This can be used for cookie stealing (account takeover), for example.

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov validated this vulnerability a year ago
jhond0e has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.18 with commit c51285 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation