Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in microweber/microweber

Valid

Reported on

Mar 11th 2022


Description

(1) Checkout URL and Custom order id parameters are vulnerable to stored XSS, which are located in Shop > Settings > other settings > Advanced

(2) From e-mail address and From name parameters are vulnerable to stored XSS, which are located in Shop Settings > Autorespond E-mail settings > check your e-mail settings

(3) Template Name, Template type, From Name, From E-mail and Subject parameters are vulnerable to stored XSS, which are located in Shop Settings > Autorespond E-mail settings > Edit Templates / Add new email template

(4) Multiple fields in the settings of Payment method settings are vulnerable to stored XSS, which are located in Shop Settings > Autorespond E-mail settings > check your e-mail settings > Test Mail Sending Method

(5) Send test email to and Test mail subject parameters of Send test email function are vulnerable to stored XSS, which are located in Shop Settings > Payment > Settings of each method

Proof of Concept for (1)

Step (1) : Access https://demo.microweber.org/demo/admin/view:shop/action:options#option_group=shop/orders/settings/other

Step (2): Click Advanced

Step (3): Put payload below in Checkout URL or Custom order id parameter

"><iMg SrC="x" oNeRRor="alert(1);">

Refresh this page, stored XSS will be triggered. image

Proof of Concept for (2)

Step (1) : Access https://demo.microweber.org/demo/admin/view:settings#option_group=shop/orders/settings/setup_emails_on_order

Step (2): Click check your e-mail settings

Step (3): Put payload below in From e-mail address or From name parameter

"><iMg SrC="x" oNeRRor="alert(1);">

image

Proof of Concept for (3)

Step (1) : Access https://demo.microweber.org/demo/admin/view:settings#option_group=shop/orders/settings/setup_emails_on_order

Step (2): Click Add new email template or Edit Templates

Step (3): Put payload below in Template Name, Template type, From Name, From E-mail or Subject parameters (*for type parameter, need to change in request)

"><iMg SrC="x" oNeRRor="alert(1);"> image

Proof of Concept for (4)

Step (1) : Access https://demo.microweber.org/demo/admin/view:settings#option_group=shop/payments/admin

Step (2): Click Settings of Paypal Express

Step (3): Put payload below in Paypal username

"><iMg SrC="x" oNeRRor="alert(1);"> image

Proof of Concept for (5)

Step (1) : Access https://demo.microweber.org/demo/admin/view:settings#option_group=email

Step (2): Click Test Mail Sending Method

Step (3): Put payload below in Send test email to or Test mail subject

"><iMg SrC="x" oNeRRor="alert(1);">

Step (4): Click save email settings

image

Impact

If an attacker can control a script that is executed in the victim's browser, they might compromise that user, in this case, an admin, by stealing its cookies.

Occurrences

Lack of user input sanitization

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar Slaveykov validated this vulnerability 2 months ago
James Yeung has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov confirmed that a fix has been merged on 955471 2 months ago
Bozhidar Slaveykov has been awarded the fix bounty
other.php#L93-L104 has been validated
to join this conversation