Cross-site Scripting (XSS) - Reflected in microweber/microweber

Valid

Reported on

Feb 20th 2022

Description

There is a Reflected cross site scripting issue chained using these endpoints:

[1] /admin/content/0/edit [2] /apiqq</script><script>alert(1)</script>fca4/page

Proof of Concept

  1. Login to https://demo.microweber.org
  2. Now visit https://demo.microweber.org/demo/admin/content/0/edit
  3. Now open this url (in same tab or new): https://demo.microweber.org/demo/apiqq%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3Efca4/page

The xss payload will be executed in the browser.

Impact

Cross site scripting attacks can lead to cookies stealing (can be chained to account takeover), redirecting users to attackers controlled malicious websites etc

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
Damanpreet modified the report
3 months ago
Damanpreet modified the report
3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar
3 months ago

Maintainer

https://github.com/microweber/microweber/commit/0b6b1eb5ba85ffc8f74e6f5f5be9dc9f9f7e9d8f

Bozhidar Slaveykov validated this vulnerability 3 months ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov confirmed that a fix has been merged on a5925f 3 months ago
Bozhidar Slaveykov has been awarded the fix bounty
to join this conversation