1377 matches found
CVE-2021-33988
Cross Site Scripting XSS. vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form...
CVE-2021-33988
Cross Site Scripting XSS. vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form...
Cross site scripting
Cross Site Scripting XSS. vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form...
CVE-2021-33988
Cross Site Scripting XSS. vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form...
CVE-2021-33988
CVE-2021-33988 is a Cross-Site Scripting (XSS) vulnerability reported in Microweber CMS version 1.2.7 accessible via the Login form. The concrete details from connected sources state that an attacker could inject and execute Javascript by placing code in the login request form, enabling a client-...
Microweber 跨站脚本漏洞
Microweber is an online store management system that provides drag and drop functionality from the Microweber community in the United States. The system includes modules for adding products, images, and more. A security vulnerability exists in Microweber CMS version 1.2.7, which can be exploited ...
in microweber/microweber
Description I create a coupon only for one user and also is one-time use coupon. then create two user and both of them can use the coupon but only one of them should able to use the coupon...
Cross-Site Request Forgery (CSRF) in microweber/microweber
Description Attacker able to delete any file In Files module if this module enabled there isn't any csrf protection in this endpoint. Proof of Concept After open the PoC.html file you can see that the file with name 1.jpg will be deleted. //PoC.html history.pushState'', '', '/'...
Improper Privilege Management in microweber/microweber
✍️ Description A simple user without Super Admin access is able to add further users to the system. 🕵️♂️ Proof of Concept BurpSuite or proxy utility is required - 1;Simply add a simple User roled user USER A . - 2; Log in with USER A - 3; Obtain the X-Csrf-Token and the Cookie value of USER A - 4;...
Cross-Site Request Forgery (CSRF) in microweber/microweber
✍️ Description Attacker able to delete any user if knows the user id parameter value. 🕵️♂️ Proof of Concept Here after running PoC.html and you will see that the user with id 3 has been deleted. //PoC.html history.pushState'', '', '/' document.forms0.submit; 💥 Impact Here a user with id value 3...
Cross-Site Request Forgery (CSRF) in microweber/microweber
✍️ Description Attacker able to batch delete any Website pages if knows the pages id parameter value. 🕵️♂️ Proof of Concept Here after running PoC.html on Firefox or Safari and click on submit button also can be auto-submit you will see that the files with id from 9 to 15 have been deleted...
Cross-Site Request Forgery (CSRF) in microweber/microweber
✍️ Description microweber is vulnerable to Cross-site request forgery. The app is not checking the CSRF token when adding new products to the cart. 🕵️♂️ Proof of Concept HTML content: HTML setTimeout = form.submit; , 2000; 1. Save the above content into an HTML file. 2. Open the file on the...
Business Logic Errors in microweber/microweber
✍️ Description microweber is vulnerable to Business Logic error through negative product price. 🕵️♂️ Proof of Concept HTML content: HTML 1. Save the above content into an HTML file. 2. Access the app localhost and add a product to the cart. 3. Open the HTML file and click on submit button to take...
Microweber has a file upload vulnerability
Microweber is a new generation of CMS generation tools. Microweber suffers from a file upload vulnerability that can be exploited by an attacker to gain control of the server...
Microweber CMS 1.1.20 Remote Code Execution
Exploit Title: Microweber CMS 1.1.20 - Remote Code Execution Authenticated Date: 2020-10-31 Exploit Author: sl1nki Vendor Homepage: https://microweber.org/ Software Link: https://github.com/microweber/microweber/tree/1.1.20 Version: " . shellexec$REQUEST"fexec" . ""; ?' Notes: SSL verification is...
Microweber CMS 1.1.20 - Remote Code Execution (Authenticated) Exploit
Exploit Title: Microweber CMS 1.1.20 - Remote Code Execution Authenticated Exploit Author: sl1nki Vendor Homepage: https://microweber.org/ Software Link: https://github.com/microweber/microweber/tree/1.1.20 Version: " . shellexec$REQUEST"fexec" . ""; ?' Notes: SSL verification is disabled by...
Microweber CMS 1.1.20 - Remote Code Execution (Authenticated)
Exploit Title: Microweber CMS 1.1.20 - Remote Code Execution Authenticated Date: 2020-10-31 Exploit Author: sl1nki Vendor Homepage: https://microweber.org/ Software Link: https://github.com/microweber/microweber/tree/1.1.20 Version: " . shellexec$REQUEST"fexec" . ""; ?' Notes: SSL verification is...
Arbitrary File Write
microweber is vulnerable to arbitrary file write. The vulnerability exists because a user with administrative level privilege can write files via the backup restore feature by uploading a malicious constructed ZIP file with file paths including relative paths i.e., ../../, moving this file into t...
CVE-2020-28337
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously...
CVE-2020-28337
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously...