0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

Microweber XSS

· Sajeeb Lohani · CVE-2018-1000826

The Issue

Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorised actions being performed, unauthorised access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.

Where the Issue Occurred

Line 114 microweber/userfiles/modules/users/login/templates/admin.php#L114:

<input class="mw-ui-field mw-ui-field-big silver-field" autofocus="" tabindex="1" required name="username" type="text" placeholder="<?php _e("Username or Email"); ?>" <?php if (isset($_REQUEST['username']) != false): ?> value="<?php print $_REQUEST['username'] ?>"  <?php endif;

Disclosure Timeline

  • Issue Reported: 29th September 2018
  • Blog Post Published: 28th October 2018
  • Applied for CVE: