Microweber Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Microweber versions through 2.0.9. This vulnerability allows remote attackers to execute arbitrary JavaScript code by injecting it into the campaign Name field within the 'Add new campaign' function. The injected script is executed when the campaign list is viewed or when adding a new subscriber.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser. This could lead to the theft of information or manipulation of the user into visiting malicious websites.

Reproduction

To reproduce this vulnerability, first log into the Microweber application with administrative privileges. Navigate to the '/admin/modules/newsletter/lists' endpoint and click on '+ Add new list'. In the 'List name' field, insert a payload such as an image tag with an 'onerror' event. After saving, the injected script will execute when viewing the campaign list or during the process of adding a new subscriber.