Microweber Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Microweber versions through 2.0.9. This vulnerability allows remote attackers to execute arbitrary JavaScript code by injecting it into the First Name or Last Name fields within the user management module. The injected script is executed when the user module view is accessed.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to the theft of information or manipulation of user actions, such as directing them to harmful websites.

Reproduction

To reproduce this vulnerability, first log into the Microweber application with administrative rights. Navigate to the user management section and select a user to edit or create a new one. Inject a script payload, such as an image tag with an error event, into the First Name or Last Name fields. After saving the changes, go to the user module view to trigger the execution of the injected JavaScript.