Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Microweber developers resolve XSS vulnerability in CMS software

Security researchers have uncovered a stored cross-site scripting (XSS) vulnerability in Microweber, an open source website builder and content management system (CMS).

The security issue, discovered by researchers James Yeung and Bozhidar Slaveykov, and tracked as CVE-2022-0930, was resolved in version 1.2.12 of Microweber.

The problem arose because of shortcomings in the content filtering protections offered by earlier versions of Microweber.

These shortcomings meant it was possible for attackers to upload an XSS payload, providing it contained a file whose name ended with ‘html’ ­– a category that includes far more than just simple .html files.

Once this payload is uploaded, a URL with malicious HTML can be accessed and malicious JavaScript executed.

By controlling a script that is executed in the victim’s browser, it would be possible for an attacker to steal cookies before impersonating a victim, potentially the administrator of a compromised system.

The attack is explained in greater depth in a technical blog post – featuring a proof-of-concept exploit – put together by Yeung and Slaveykov.

The Daily Swig invited Microweber to comment on the researchers’ findings via a message sent through a webform on its website. In response, Microweber confirmed that the “issue is already fixed”.

Asked how they come across Microweber as a target, Yeung told The Daily Swig: “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that’s why I joined that mania!”

The vulnerabilities uncovered in Microweber are typical of those found in other comparable enterprise software packages, according to Yeung.

“I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client),” the researcher explained.

Yeung concluded that developers should move towards using allow-lists and away from using block-list as a means to minimize problems in this area.

Source: https://portswigger.net/daily-swig/microweber-developers-resolve-xss-vulnerability-in-cms-software

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO