Stored XSS Vulnerability in Microweber Version 2.0.1

A Stored XSS vulnerability has been identified in Microweber Version 2.0.1, posing a significant risk to user data. This article explores the vulnerability, its discovery, current status, and mitigation steps.

Action Points

1. Microweber is an open-source drag-and-drop website builder and content management system (CMS).
2. Stored XSS injects malicious code into web apps via stored user input, and can be used to perform harmful actions such as stealing user cookies, etc.
3. The Stored XSS vulnerability has been reported to the platform, which is in the process of rolling out a patch soon.
4. To protect yourselves promptly update to the latest security version once released.

But before we jump into the deep end, let’s understand some basics:

What is Microweber?

Microweber is an open-source drag-and-drop website builder. It is a powerful content management system (CMS) that has been installed more than 100,000 times with 40000 + active users. 

However, while running security tests a new Stored XSS Vulnerability has been discovered by Astra’s Security Team in the latest version i.e. Microweber Version 2.0.1, released on October 27, 2023.

What is Stored XSS vulnerability?

Stored Cross-Site Scripting (Stored XSS) is a specific form of XSS attack that injects malicious code into a vulnerable web application, targeting users’ browsers instead of the web server directly.

The attack leverages user input that is saved or “stored” on the target server, including places like a message forum, a visitor log, or a comment field. 

Such an input if not sanitized through input validation, output encoding, and security headers, might be injected with malicious script. When a victim interacts with the compromised web application and requests the stored information, their browser retrieves and executes the malicious code from the server. 

What is the impact of Stored XSS?

Stored XSS attacks can have severe consequences, which can vary based on the privileges assigned to the affected user such as:

1. Data Theft and Session Hijacking

Once executed, the malicious code can steal the victim’s data (e.g., cookies and user info), allowing unauthorized access, impersonation, and performing actions on the victim’s behalf (e.g., changing settings, making transactions).

2. Malware & ransomware Propagation

Malicious Scripts used in a Stored XSS attack can also be designed to trigger downloads of malware or ransomware from external sources or exploit vulnerabilities in users’ browsers to deliver malware payloads, potentially compromising their devices and spreading the malware further. 

Website Defacement:

Malicious Scripts used in a Stored XSS attack can also be designed to alter the appearance and content of the web page, effectively defacing the website. For example, they replace content, change layouts, or add unwanted ads, leading to a compromised user experience and potential reputation damage. 

What is the current status?

Upon discovering the vulnerability in Microweber Version 2.0.1, Astra’s team promptly notified the platform’s developers along with possible solutions that they may implement to avoid any possible exploitation of user data. 

Currently, they are working on implementing a patch while formulating a long-term solution for the vulnerability.

What can you do?

Update the affected version to the latest ad-hoc security version once released by Microweber CMS Ltd.

Share this...

Facebook

Pinterest

Twitter

Linkedin