Headline
CVE-2022-0678: Cross-site Scripting (XSS) - Reflected in microweber
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
Valid
Reported on
Feb 18th 2022
Description
Can escape the meta tag because the user doesn’t escape the double-quote in the $redirectUrl parameter when logging out.
Proof of Concept
https://<server>/demo/api/logout?redirect_to=/asdf"><iframe onload=alert(document.domain)>
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.