stored xss in uploaded photo checkbox in microweber/microweber
Mar 18th 2022
- xss code injection possible in endpoint "/api/save_media "
- it accepts parameter "src" so if appended "%22onclick=%22alert('helo js executed');"
- and send request then xss alert will execute when clicking on checkbox of uploaded blank photo
Proof of Concept
- login as admin
- open website > pages> edit page > upload photo
- add a photo and capture http requests
- select captured req to /api/save_media then append "%22onclick=%22alert('helo js executed');" to "src" parameter and resend it
- refresh webpage and you can see blank image uploaded. click on checkbox in the corner of image now xss alert will popup
POST /api/save_media Host: 127.0.0.1 for=content&src=http%3A%2F%2F127.0.0.1%2Fmi%2Fuserfiles%2Fmedia%2Fdefault%2Fupi.png%22onclick=%22alert('helo js executed');&media_type=picture&for_id=15
This vulnerability is capable of xss injection in uploaded files option