Stored XSS From Visitor to Acc Takeover in microweber/microweber
Valid
Reported on
Feb 16th 2023
Description
Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss
Proof of Concept
1.Visit any url and Add Header X-Forward-For: 127.0.0.1"><image/src/onerror=prompt(8)>
2.If admin check in dashboard xss will trigger
Check This image
>https://drive.google.com/file/d/1hNSEr5Fjnzd9n62SFspW3z7Ojs-q6cCw/view?usp=share_link
>https://drive.google.com/file/d/1cfnIoKWtLsjRUcU4J0Qs_bU-a_Z6gPNo/view?usp=share_link
Disclaimer: This is my own website
Impact
Account takeover
We are processing your report and will contact the
microweber
team within 24 hours.
3 months ago
We have contacted a member of the
microweber
team and are waiting to hear back
3 months ago
Hi, thanks for report. Affected version is 1.3.2 not 3.1.2 can you please change it in the report @admin
isdkrisna modified the report
3 months ago
I have already edited it, so there's no need for an admin. Is this report worth a CVE?
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Thanks for the reports. The issue is fixed now for version 1.3.3
isdkrisna
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Mar 31st 2023
to join this conversation