stored xss in uploaded photo checkbox in microweber/microweber

Valid

Reported on

Mar 18th 2022

Description

  • xss code injection possible in endpoint "/api/save_media "
  • it accepts parameter "src" so if appended "%22onclick=%22alert('helo js executed');"
  • and send request then xss alert will execute when clicking on checkbox of uploaded blank photo

Proof of Concept

  1. login as admin
  2. open website > pages> edit page > upload photo
  3. add a photo and capture http requests
  4. select captured req to /api/save_media then append "%22onclick=%22alert('helo js executed');" to "src" parameter and resend it
  5. refresh webpage and you can see blank image uploaded. click on checkbox in the corner of image now xss alert will popup
POST /api/save_media HTTP/1.1
Host: 127.0.0.1

for=content&src=http%3A%2F%2F127.0.0.1%2Fmi%2Fuserfiles%2Fmedia%2Fdefault%2Fupi.png%22onclick=%22alert('helo js executed');&media_type=picture&for_id=15

Impact

This vulnerability is capable of xss injection in uploaded files option

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov modified the report
a year ago
Bozhidar Slaveykov validated this vulnerability a year ago
keralaboy123 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 1c6c99 a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
keralaboy123
a year ago

Researcher

hi will i get cve id for this bug

keralaboy123
a year ago

Researcher

@bobimicroweber hi i need cve id.

to join this conversation