Stored Cross Site Scripting vulnerability in Microweber <= 2.0.9
A Stored Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
- Microweber version <= 2.0.9
- Admin access
- Authenticate the application with administrative privileges
- Go to the endpoint /admin/users
- Select any user to edit (or create one later edit)
- Insert the payload
<img src=x onerror=alert(1)>on either "First Name" or "Last Name" as both fields can trigger the JavaScript injection - Go to the endpoint /admin/module/view?type=users to trigger the JavaScript injection
- /admin/module/view?type=users
An attacker could execute JavaScript code in the victim's browser, obtaining information or forcing the user to access malicious websites, for example.