Stored XSS in the module named "Website settings" in microweber/microweber


Reported on

Dec 24th 2022


Our engineer found security problems when testing our website. And I have tested the demo website you provided. I found that there is indeed an xss vulnerability. I hope you can check and provide a fix as soon as possible.Thanks.


The reason for the vulnerability is that you have used blacklists in /src/MicroweberPackages/Helper/XSSClean.php for filtering, but the blacklists are not perfect.And there are still events that can be used, such as 'onbeforeinput'.

Video link



1.Login as administrator.

2.Click the 'Settings' module.

3.Click and go into section named 'E-mail' or 'General'.

4.Enter the following value in the input box of the page.


This vulnerability lies in module 'Settings' of the administrator interface. All contents of module 'Website settings', including 'General', 'E-mail','Advanced' have this xss vulnerability.


(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.

(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting the normal use of users.


I think you should improve the blacklist of xss or directly disable all events named 'onxxxx'.

We are processing your report and will contact the microweber team within 24 hours. a year ago
a year ago


hi,@Maintainer,Due to the flaw of xss blacklist, not only the settings module, but also other places on the website may have xss vulnerabilities.So I hope you could fix it as soon as possible.

We have contacted a member of the microweber team and are waiting to hear back a year ago
a year ago


hi,@Maintainer,any update please

a year ago


Has anyone noticed this report?

Peter Ivanov modified the Severity from High (7.5) to Medium (5.7) 10 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 10 months ago
Christy__ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.3 with commit 29d418 10 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 28th 2023
XSSClean.php#L38 has been validated
Peter Ivanov published this vulnerability 9 months ago
to join this conversation