Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-1881: Stored XSS From Visitor to Acc Takeover in microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

CVE
Open in Source
#xss#web#google#js#git#ssl

Valid

Reported on

Feb 16th 2023

Description

Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss

Proof of Concept

1.Visit any url and Add Header X-Forward-For: 127.0.0.1"><image/src/onerror=prompt(8)>
2.If admin check in dashboard xss will trigger

Check This image
>https://drive.google.com/file/d/1hNSEr5Fjnzd9n62SFspW3z7Ojs-q6cCw/view?usp=share_link
>https://drive.google.com/file/d/1cfnIoKWtLsjRUcU4J0Qs_bU-a_Z6gPNo/view?usp=share_link

Disclaimer: This is my own website

Impact

Account takeover

Related news

GHSA-hhjm-mpmf-cxg9: Microweber vulnerable to stored cross-site scripting (XSS) via X-Forwarded-For header

microweber/microweber prior to 1.3.3 is vulnerable to stored cross-site scripting (XSS) via the `X-Forwarded-For` header. This was fixed in version 1.3.3.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE