Microweber Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Microweber versions through 2.0.9. This vulnerability allows remote attackers to execute arbitrary JavaScript code by exploiting the 'create new backup' function within the admin backup module.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript code in the context of the victim's browser. This could be used to steal information or redirect the user to malicious websites.

Reproduction

To reproduce this vulnerability, first log into the Microweber application with administrative privileges. Navigate to the admin backup module and initiate the 'Create New Backup' process. Choose any backup option, ensuring that 'Custom backup' includes media files. Once the backup is created, download the zip file and insert a file named '<img src=x onerror=alert(1)>.jpg' into the '/media/default/' directory of the zip file. Upload the modified zip file through the backup module. After uploading, restore the backup using one of the available options, which will trigger the JavaScript injection. Finally, visit the files module or the files settings group to execute the injected JavaScript.