Microweber Cross-site Scripting

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter. (2022-11-25, CVE-2022-0698)

HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input. (2022-09-20, CVE-2022-3245)

Code Injection in GitHub repository microweber/microweber prior to 1.3.2. (2022-09-20, CVE-2022-3242)

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1. (2022-08-11, CVE-2022-2777)

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21. (2022-07-22, CVE-2022-2470)

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21. (2022-07-22, CVE-2022-2495)

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. (2022-07-09, CVE-2022-2353)

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. (2022-07-04, CVE-2022-2300)

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. (2022-07-01, CVE-2022-2280)

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18. (2022-06-22, CVE-2022-2174)

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17. (2022-06-20, CVE-2022-2130)

Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim (2022-05-04, CVE-2022-1584)

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie... (2022-05-04, CVE-2022-1555)

XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks. (2022-04-27, CVE-2022-1504)

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction. (2022-04-22, CVE-2022-1439)

Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12. (2022-03-15, CVE-2022-0963)

Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11. (2022-03-15, CVE-2022-0954)

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. (2022-03-12, CVE-2022-0930)

XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11. (2022-03-12, CVE-2022-0929)

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. (2022-03-12, CVE-2022-0926)

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12. (2022-03-11, CVE-2022-0928)

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12. (2022-03-10, CVE-2022-0906)

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11. (2022-02-26, CVE-2022-0723)

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3. (2022-02-26, CVE-2022-0763)

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3. (2022-02-23, CVE-2022-0719)

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. (2022-02-19, CVE-2022-0690)

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. (2022-02-19, CVE-2022-0678)

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. (2022-02-10, CVE-2022-0558)

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. (2022-02-08, CVE-2022-0506)

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. (2022-01-26, CVE-2022-0378)

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. (2022-01-26, CVE-2022-0379)

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. (2022-01-20, CVE-2022-0278)

Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form. (2021-10-19, CVE-2021-33988)

Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities. (2019-03-21, CVE-2018-19917)

Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Execution of JavaScript code. (2018-12-20, CVE-2018-1000826)

Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.

The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:

https://server.com/confirmation?message=Transaction+Complete

what results in:

<span>Confirmation: Transaction Complete</span>

In that case the message can be modified to become a valid Javascript code, e.g.:

https://server.com/confirmation?message=<script>dangerous javascript code here</script>

and it will be executed locally by the user's browser with full access to the user's personal application/browser data:

<span>Confirmation: <script>dangerous javascript code here</script></span>