Description

Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS.

(1) Settings > Taxes > Tax type

Proof of Concept

Step (1): Access https://demo.microweber.org/?template=dream

Step (2): Browse to Settings > Taxes > Tax type

Step (3): Add or Edit current tax and input legitimate value so as to capture legitimate request

Step (4): Modify the value of type parameter in the POST request body with below example, which is URL encoded:

"><img+src%3dx+onerror%3dalert(document.domain)>

Step (5): Forward the request after modification

An attack controlled alert box will be prompted whenever a user access this page, i.e. (Settings > Taxes > Tax type)

Impact

If an attacker can control a script that is executed in the victim’s browser, they might compromise that user, in this case, an admin, by stealing its cookies.