Microweber Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Microweber version 2.0.15. This vulnerability allows authenticated attackers to inject malicious scripts into user profile fields, particularly the first name field. The injected scripts are executed when the profile is viewed by other users, potentially leading to session cookie theft and execution of arbitrary JavaScript.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the profile.

Reproduction

To reproduce this vulnerability, log into the application and navigate to 'Users > Edit Profile'. In the 'First Name' field, enter a script payload, such as an image tag with an 'onerror' event. After saving the changes, visit any page that displays the modified user profile to trigger the execution of the injected script.