Reflected XSS in microweber/microweber


Reported on

Apr 28th 2022


Bypass XSS filter on /module/

Proof of Concept"draggable="true"ondragexit=alert(1)&class=x&from_url=x

Drag something around to trigger the XSS. Might only work in FireFox.

How to fix

This is still CVE-2022-1439 basically.
I can break out of these html attributes, this time I use another parameter cuz I need a valid ?module= to get some html elements which I need to trigger this event handler, but the core bug is the same.

This affects many parameters on /module/ you can even define your own and they'll be appended as html attribs. You can not allow breaking out of these with quotes.

Maybe you can just replace " and ' here like < and >.


Executing JavaScript as the victim

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
Finn Westendorf modified the report
2 years ago
Finn Westendorf
2 years ago


For the record here's the same bypass in the same old "module" parameter, but you have to drag somethibg else over it, e.g. a bookmark.

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
We have sent a follow up to the microweber team. We will try again in 7 days. 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
Finn Westendorf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.16 with commit 527abd 2 years ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation