Microweber CMS Stored Cross-Site Scripting Vulnerability in User Profile

A stored cross-site scripting vulnerability has been identified in Microweber CMS version 2.0. This issue allows attackers to inject malicious scripts into user profile fields, which are then executed as arbitrary JavaScript in the browsers of admin users. The vulnerability arises because the application fails to properly sanitize or encode user inputs in the 'first_name' and 'last_name' fields before displaying them.

Impact

Exploitation of this vulnerability allows for persistent execution of injected JavaScript, potentially compromising the admin panel. This could lead to session hijacking, provided that the 'HttpOnly' flag is not set, and could facilitate redirection or phishing attacks. Additionally, DOM-based payloads could be executed by chaining the attack.

Reproduction

To reproduce this vulnerability, access the user profile edit page in the admin panel. Inject a script payload into the 'first_name' and 'last_name' fields, then save the changes. Upon refreshing the profile page, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, it is recommended to sanitize and encode all user inputs, particularly in the 'first_name' and 'last_name' fields, before rendering them on any page. Utilizing Microweber's built-in functions for output encoding and implementing server-side validation to reject inputs containing script tags or JavaScript patterns can help mitigate this issue.