Wednesday, February 8, 2023
spot_img
HomeCyber CrimeMicroweber developers resolve XSS vulnerability in CMS software

Microweber developers resolve XSS vulnerability in CMS software

 

Microweber, an open source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security experts (CMS).

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was fixed in Microweber version 1.2.12.

The issue developed as a result of flaws in older versions of Microweber’s content filtering measures.

Because of these flaws, attackers could upload an XSS payload as long as it had a file ending in ‘html’ — a category that encompasses considerably more than simply plain.html files.

Once this payload has been uploaded, a URL containing malicious HTML and malicious JavaScript may be visited and executed.

An attacker might grab cookies before impersonating a victim, perhaps the administrator of a compromised system, by manipulating a script that runs in the victim’s browser.

A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept hack, goes into additional detail about the assault.

Microweber was asked to remark on the researchers’ results via a message submitted through a webform on The Daily Swig’s website. Microweber responded by confirming that the “problem is already fixed.”

“I got over huntr.dev and noticed other researchers have identified vulnerabilities on Microweber, and that’s why I joined that madness!” Yeung said The Daily Swig when asked how they came across Microweber as a target.

According to Yeung, the vulnerabilities discovered in Microweber are typical to those seen in other similar corporate software programmes.

“I’ve uncovered similar vulnerabilities in numerous CMS, such as Microweber, and I’ve discovered that the majority of them lack user input sanitization from HTTP requests (some of which aren’t supposed to be provided by the client),” the researcher noted.

To avoid issues in this area, Yeung determined that developers should shift away from block-lists and toward allow-lists.

IEMA IEMLabs
IEMA IEMLabshttps://iemlabs.com
IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -spot_img

Most Popular

Recent Comments

DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us