Severe XSS Vulnerability Found In Microweber CMS

Researchers found a severe cross-site scripting (XSS) vulnerability in Microweber CMS. Exploiting the bug could allow an adversary to upload malicious payloads to the platform.

Microweber XSS Vulnerability

According to the details shared in a bug report, the researchers James Yeung and Bozhidar Slaveykov spotted a stored cross-site scripting (XSS) flaw in the Microweber platform.

Microweber is an open-source PHP-based web development and content management system. It bears a user-friendly interface with a simple drag-and-drop feature, allowing users to quickly create impressive websites.

Describing the vulnerability, the post reads,

A User can upload .[a-z]html file (e.g. ahtml, bhtml, chtml, ddhtml, AS LONG AS it ends with html) with XSS payload. Upon upload, a URL with malicious html can be accessed and javascript will be executed.

The researchers have also shared the PoC exploit in the bug report, explaining how an adversary could exploit the bug for malicious purposes. Since the bug allowed the attacker to upload malicious XSS payloads, it could severely impact the target websites.

Mentioning the possible impact of this flaw as cookie theft, the report states,

If an attacker can control a script that is executed in the victim’s browser, they might compromise that user, in this case, an admin, by stealing its cookies.

Patch Deployed

Upon discovering this vulnerability, the researchers reported the matter to the developers via the bug bounty program on Huntr – a bug bounty platform. Consequently, the developers patched the flaw and awarded the researchers with the relevant bounties.

The bug has received the ID number CVE-2022-0930.  According to the vulnerability description,

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

While the bug has received the fix, users must update their websites with the latest CMS version to receive the patch. It is especially important given the PoC exploit is public. And an adversary can always wish to test the PoC on vulnerable sites.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients