Microweber, an open source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security experts (CMS).
The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was fixed in Microweber version 1.2.12.
The issue developed as a result of flaws in older versions of Microweber’s content filtering measures.
Because of these flaws, attackers could upload an XSS payload as long as it had a file ending in ‘html’ — a category that encompasses considerably more than simply plain.html files.
Once this payload has been uploaded, a URL containing malicious HTML and malicious JavaScript may be visited and executed.
An attacker might grab cookies before impersonating a victim, perhaps the administrator of a compromised system, by manipulating a script that runs in the victim’s browser.
A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept hack, goes into additional detail about the assault.
Microweber was asked to remark on the researchers’ results via a message submitted through a webform on The Daily Swig’s website. Microweber responded by confirming that the “problem is already fixed.”
“I got over huntr.dev and noticed other researchers have identified vulnerabilities on Microweber, and that’s why I joined that madness!” Yeung said The Daily Swig when asked how they came across Microweber as a target.
According to Yeung, the vulnerabilities discovered in Microweber are typical to those seen in other similar corporate software programmes.
“I’ve uncovered similar vulnerabilities in numerous CMS, such as Microweber, and I’ve discovered that the majority of them lack user input sanitization from HTTP requests (some of which aren’t supposed to be provided by the client),” the researcher noted.
To avoid issues in this area, Yeung determined that developers should shift away from block-lists and toward allow-lists.