XSS in /demo/module/?module=HERE in microweber/microweber
Apr 22nd 2022
Reflected XSS in /demo/module/?module= bypass of fix for CVE-2022-1439
Proof of Concept
In this report I showed an XSS and while one of the filter evasion mechanisms was fixed, the root cause persists to allow other payloads.
As I mentioned there are event handlers which are unblocked, so even without the <x> trick from last report, you can get XSS.
Here I use ontransitionrun, there are more and there will always come more event handlers, so a blacklist approach will fail here.
Hitting "tab" will fire the payload.
How to fix this
The html looks like this:
<div class='x module module-'ontransitionrun=alert(1) ' tabindex="1" style="transition:outline 0.001s" ...
You can not allow breaking out of the "class" attribute, so remove or encode the 's in the input. That's the main thing here.
Typical impact of XSS attacks.
Peter Ivanov validated this vulnerability a year ago
Finn Westendorf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.15 with commit 1f6a4d a year ago
This vulnerability will not receive a CVE
to join this conversation