xss in live edit in microweber/microweber
Reported on
Nov 10th 2022
Description
when you make website and login as admin if u add user as admin he maybe evil admin n live edit https://demoxss.microweber.net/?editmode=y i start edit as html i see i can write script but didnt pass when u open site as end user then i just try add html tag with events but the sam happen common events didnt pass i start try events and bom i fount this even(onwebkittransitionend)it work bom it work in live editing when admin edit site and work with end user https://demoxss.microweber.net/
Proof of Concept
// PoC.js
<a class="btn btn-primary" onwebkittransitionend="alert(document.cookie)">hacked</a>
here pic for xss in admin live edit https://www.mediafire.com/view/srvpvn5s2caqir8/admin_live_edit.png/file
and here xss for normal site https://www.mediafire.com/view/26gvxrcwn549dhd/enduser.png/file
Impact
evil admin can steal admins cookies and end users
Hi Ahmed. Please be patient, there is no need to leave a comment every other day. Microweber are very active and by messaging so often you're more likely to irritate them than get a fast review.
Also, it's maintainers not admins that validate reports.
Apologies for the delay, this bug has now been fixed and I have gone ahead and published this vulnerability:)