CVE-2024-33299 PoC — Microweber 安全漏洞

Source

Associated Vulnerability

Description

Stored Cross Site Scripting vulnerability in Microweber < 2.0.9

Readme

# CVE-2024-33299
Stored Cross Site Scripting vulnerability in Microweber <= 2.0.9

## Summary :

A Stored Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint **/admin/module/view?type=users**

## Requirements :

- [Microweber](https://github.com/microweber/microweber) version <= 2.0.9
- Admin access

## Steps to reproduce :

1. Authenticate the application with administrative privileges
2. Go to the endpoint **/admin/users**
3. Select any user to edit (or create one later edit)
4. Insert the payload `<img src=x onerror=alert(1)>` on either **"First Name"** or **"Last Name"** as both fields can trigger the JavaScript injection
5. Go to the endpoint **/admin/module/view?type=users** to trigger the JavaScript injection

## Affected components :

- /admin/module/view?type=users

## Impact :

An attacker could execute JavaScript code in the victim's browser, obtaining information or forcing the user to access malicious websites, for example.

## Relevant References

https://www.cve.org/CVERecord?id=CVE-2024-33299

File Snapshot

 [4.0K]  /data/pocs/26888620dd28a71e9729638246173f55f4497b6f
└── [1.1K]  README.md

0 directories, 1 file

Remarks