xss in live edit in microweber/microweber

Valid

Reported on

Nov 10th 2022


Description

when you make website and login as admin if u add user as admin he maybe evil admin n live edit https://demoxss.microweber.net/?editmode=y i start edit as html i see i can write script but didnt pass when u open site as end user then i just try add html tag with events but the sam happen common events didnt pass i start try events and bom i fount this even(onwebkittransitionend)it work bom it work in live editing when admin edit site and work with end user https://demoxss.microweber.net/

Proof of Concept

// PoC.js
<a class="btn btn-primary" onwebkittransitionend="alert(document.cookie)">hacked</a>
here pic for xss in admin live edit https://www.mediafire.com/view/srvpvn5s2caqir8/admin_live_edit.png/file
and here xss for normal site https://www.mediafire.com/view/26gvxrcwn549dhd/enduser.png/file

Impact

evil admin can steal admins cookies and end users

We are processing your report and will contact the microweber team within 24 hours. 2 months ago
We have contacted a member of the microweber team and are waiting to hear back 2 months ago
a7med-m7moued
2 months ago

Researcher


any news

a7med-m7moued
2 months ago

Researcher


@admin

a7med-m7moued
2 months ago

Researcher


@admin

Pavlos
2 months ago

Admin


Hi Ahmed. Please be patient, there is no need to leave a comment every other day. Microweber are very active and by messaging so often you're more likely to irritate them than get a fast review.

Also, it's maintainers not admins that validate reports.

Peter Ivanov modified the Severity from Medium (6.8) to Medium (5.1) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a month ago
a7med-m7moued has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.2 with commit 20df56 a month ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 20th 2022
a7med-m7moued
19 days ago

Researcher


@admin hi when will my report be published

Pavlos
19 days ago

Admin


Sorry that's a bug, we will publish the report and the CVE today

a7med-m7moued
19 days ago

Researcher


@admin okay thanks

a7med-m7moued
19 days ago

Researcher


@admin any updates?

Ben Harvie published this vulnerability 19 days ago
Ben Harvie
19 days ago

Admin


Apologies for the delay, this bug has now been fixed and I have gone ahead and published this vulnerability:)

to join this conversation