Stored Cross Site Scripting vulnerability in Microweber <= 2.0.9
A Stored Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the "Add new campaign" function.
- Microweber version <= 2.0.9
- Admin access
- Authenticate the application with administrative privileges
- Go to the endpoint /admin/modules/newsletter/lists and click on "+ Add new list"
- Insert the payload
<img src=x onerror=alert(1)>on "List name" field - Click "Save" to trigger the JavaScript injection. The injection will be triggered when listing current campaigns and on the creation tab of a new subscriber too.
- /admin/modules/newsletter
An attacker could execute JavaScript code in the victim's browser, obtaining information or forcing the user to access malicious websites, for example.