Cross-site Scripting (XSS) - Reflected in microweber/microweber


Reported on

Feb 20th 2022


There is a Reflected cross site scripting issue chained using these endpoints:

[1] /admin/content/0/edit [2] /apiqq</script><script>alert(1)</script>fca4/page

Proof of Concept

  1. Login to
  2. Now visit
  3. Now open this url (in same tab or new):

The xss payload will be executed in the browser.


Cross site scripting attacks can lead to cookies stealing (can be chained to account takeover), redirecting users to attackers controlled malicious websites etc

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
Damanpreet modified the report
2 years ago
Damanpreet modified the report
2 years ago
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
2 years ago


Bozhidar Slaveykov validated this vulnerability 2 years ago
daman-preet-singh has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.3 with commit a5925f 2 years ago
Bozhidar Slaveykov has been awarded the fix bounty
to join this conversation