Microweber CMS Reflected Cross-Site Scripting Vulnerability in Admin Page Layout Parameter

A reflected cross-site scripting vulnerability has been identified in Microweber CMS version 2.0. The issue arises in the admin panel's page creation interface, specifically through the layout parameter on the /admin/page/create page. This vulnerability allows authenticated admin users to execute arbitrary JavaScript in their session context.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed immediately in the context of the affected user.

Reproduction

To reproduce this vulnerability, navigate to the /admin/page/create page and add a layout parameter with a script injection payload, such as a script tag containing JavaScript code, such as an alert command. The injected script will be executed in the context of the admin user.

Remediation

It is recommended to sanitize and validate the layout parameter on the server side before using it in Blade template includes. Implement strict allowlist checks to permit only known-safe layout filenames and use Laravel's escaping functions to handle user inputs.