Microweber Cross-Site Scripting Vulnerability in Category Creation Endpoint

A cross-site scripting (XSS) vulnerability has been identified in Microweber version 2.0.19, specifically within the '/admin/category/create' endpoint. The issue arises from the 'rel_id' parameter, which can be manipulated in a crafted URL. An attacker could lure an admin user to visit this URL, resulting in the execution of JavaScript code in the user's browser. This vulnerability was reported to the developers and subsequently fixed in version 2.0.20.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious scripts in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, first install Microweber version 2.0.19. After setting up the application, visit the '/admin/category/create' endpoint with a crafted URL that includes a malicious 'rel_id' parameter. The injected script will be executed, demonstrated by an alert pop-up.

Remediation

Users can upgrade to Microweber version 2.0.20 or later, where this vulnerability has been fixed.