Coordinated Disclosure Timeline
- 2021-09-15: Report sent to admin@microweber.com
- 2021-09-17: Fixed by this commit
- 2021-09-17: Fix reverted since it broke some features.
- 2022-03-25: Fixed in v1.2.12
- 2022-04-27: We realised the fix was not complete and reported it to the maintainer.
- 2022-04-27: Maintainers claimed that the vulnerability is fixed and marked our new report as invalid.
- 2022-04-27: We inform the maintainer about how the vulnerability can be exploited.
- 2022-06-15: We disclose the advisory as per our disclosure policy.
Summary
Copy-paste XSS in Microweber text editor
Product
Microweber
Tested Version
Details
Issue: Copy-paste XSS in Microweber (GHSL-2021-1005)
The Microweber text editor is vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor.
Proof of concept (tested on Chrome):
- Open this page: cdn.sekurak.pl/copy-paste/playground.html
- Paste the following code into “HTML Input”
<img src="foo" onload="alert(1)" onerror="alert(2)"/> - Click “Copy as HTML”
- Log in to the admin page, and start a live-edit session.
- For example, just open https://demo.microweber.org/ and it will automatically log you into a demo account.
- Open https://demo.microweber.org/demo/modern-golder-watch
- Select some of the text, such that you can write in it
- Paste into the text editor.
Note: This issue was found using the following CodeQL query
Impact
This issue may lead to XSS with user interaction
CVE
- CVE-2021-32856
Credit
This issue was discovered by GHSL team member @erik-krogh (Erik Kristensen) using the CodeQL query contributed by @bananabr (Daniel Santos).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1005 in any communication regarding this issue.