CVE-2024-33297 PoC — Microweber 安全漏洞

Source

Associated Vulnerability

Description

Stored Cross Site Scripting vulnerability in Microweber < 2.0.9

Readme

# CVE-2024-33297
Stored Cross Site Scripting vulnerability in Microweber <= 2.0.9

## Summary :

A Stored Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the "Add new campaign" function.

## Requirements :

- [Microweber](https://github.com/microweber/microweber) version <= 2.0.9
- Admin access

## Steps to reproduce :

1. Authenticate the application with administrative privileges
2. Go to the endpoint **/admin/modules/newsletter/lists** and click on **"+ Add new list"**
3. Insert the payload `<img src=x onerror=alert(1)>` on **"List name"** field
4. Click **"Save"** to trigger the JavaScript injection. The injection will be triggered when listing current campaigns and on the creation tab of a new subscriber too.

## Affected components :

- /admin/modules/newsletter

## Impact :

An attacker could execute JavaScript code in the victim's browser, obtaining information or forcing the user to access malicious websites, for example.

## Relevant References

https://www.cve.org/CVERecord?id=CVE-2024-33297

File Snapshot

 [4.0K]  /data/pocs/2b90bb043959b3ad75ddc21aac5a55f5a03b3899
└── [1.1K]  README.md

0 directories, 1 file

Remarks