Stored XSS in the module named "Dashboard" in microweber/microweber


Reported on

Apr 24th 2023


I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible.

Proof of Concept

link video PoC


1.Login as administrator.

2.Click the 'Dashboard' module.

3.Click and go into section name 'Add new order'.

4.Add products and enter the following value inter input box of the page.

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(document.cookie)"></xss>

This vulnerability lies in module 'Dashboard' .


(1) It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website.

(3) First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting the normal use of users.

We are processing your report and will contact the microweber team within 24 hours. 10 months ago
We have contacted a member of the microweber team and are waiting to hear back 10 months ago
H4ck3r Kh0ỏng
10 months ago


hi is there any new update

H4ck3r Kh0ỏng modified the report
10 months ago
H4ck3r Kh0ỏng
9 months ago


@admin It's been over 1 week but haven't received any knowledge from microweber team. Can you try contacting other members from the Microweber team?

Ben Harvie
9 months ago


Hey @H4ck3r, this is as far as our outreach attempts go at the moment. Feel free to try and contact the maintainer directly yourself to see if you can get their attention to your report. Thanks!

H4ck3r Kh0ỏng
9 months ago


@peter-mw hi is there any new update

Peter Ivanov modified the Severity from High (7.6) to Medium (6.4) 8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 8 months ago
chucsse has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 2.0 with commit 6ed7eb 8 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has now been published 4 months ago
to join this conversation