Description

Our engineer found security problems when testing our website. And I have tested the demo website you provided. I found that there is indeed an xss vulnerability. I hope you can check and provide a fix as soon as possible.Thanks.

\\

The reason for the vulnerability is that you have used blacklists in /src/MicroweberPackages/Helper/XSSClean.php for filtering, but the blacklists are not perfect.And there are still events that can be used, such as ‘onbeforeinput’.

Video link

link

https://drive.google.com/file/d/1gHXwqgI_uyIlMD45OhjopLFf5Gz9LovY/view?usp=share_link

Steps

1.Login as administrator.

2.Click the ‘Settings’ module.

3.Click and go into section named ‘E-mail’ or ‘General’.

4.Enter the following value in the input box of the page.

xss"onbeforeinput="alert(1)"

This vulnerability lies in module ‘Settings’ of the administrator interface. All contents of module ‘Website settings’, including ‘General’,
‘E-mail’,‘Advanced’ have this xss vulnerability.