Stored XSS From Visitor to Acc Takeover in microweber/microweber

Valid

Reported on

Feb 16th 2023


Description

Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss

Proof of Concept

1.Visit any url and Add Header X-Forward-For: 127.0.0.1"><image/src/onerror=prompt(8)>
2.If admin check in dashboard xss will trigger

Check This image
>https://drive.google.com/file/d/1hNSEr5Fjnzd9n62SFspW3z7Ojs-q6cCw/view?usp=share_link
>https://drive.google.com/file/d/1cfnIoKWtLsjRUcU4J0Qs_bU-a_Z6gPNo/view?usp=share_link

Disclaimer: This is my own website

Impact

Account takeover

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Peter Ivanov
3 months ago

Maintainer


Hi, thanks for report. Affected version is 1.3.2 not 3.1.2 can you please change it in the report @admin

isdkrisna modified the report
3 months ago
isdkrisna
3 months ago

Researcher


I have already edited it, so there's no need for an admin. Is this report worth a CVE?

Peter Ivanov modified the Severity from Critical (9.3) to High (7.4) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 3 months ago

Thanks for the reports. The issue is fixed now for version 1.3.3

isdkrisna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.3 with commit 8d039d 3 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Peter Ivanov published this vulnerability a month ago
to join this conversation