Microweber CMS Cross-Site Scripting Vulnerability in Profile Last Name Field

A stored cross-site scripting vulnerability has been identified in Microweber CMS version 2.0. The issue arises in the '/projects/profile' endpoint, where user input in the last name field is not properly sanitized. This allows injected scripts to be stored and later executed, reflecting the malicious payload on the homepage.

Impact

Exploitation of this vulnerability allows for the theft of tokens and session cookies, leading to persistent account compromise. It also opens up phishing and social engineering opportunities, and could potentially allow hijacking of an admin account if the injected script is viewed by an administrator.

Reproduction

To reproduce this vulnerability, log into the Microweber CMS and navigate to the profile editor. Inject a script payload into the last name field and save the changes. Then, visit the homepage to see the script execution, which will trigger an alert displaying the document cookies.

Remediation

It is recommended to escape profile fields before rendering them on any page, disallow special characters in first and last names through input validation, and sanitize and encode inputs using appropriate functions.