Stored XSS Vulnerability in Microweber Version 2.0.1

Updated on: November 3, 2023

Stored XSS Vulnerability in Microweber Version 2.0.1

A Stored XSS vulnerability has been identified in Microweber Version 2.0.1, posing a significant risk to user data. This article explores the vulnerability, its discovery, current status, and mitigation steps.

Action Points

  1. Microweber is an open-source drag-and-drop website builder and content management system (CMS).
  2. Stored XSS injects malicious code into web apps via stored user input, and can be used to perform harmful actions such as stealing user cookies, etc.
  3. The Stored XSS vulnerability has been reported to the platform, which is in the process of rolling out a patch soon.
  4. To protect yourselves promptly update to the latest security version once released.

But before we jump into the deep end, let’s understand some basics:

What is Microweber?

Microweber is an open-source drag-and-drop website builder. It is a powerful content management system (CMS) that has been installed more than 100,000 times with 40000 + active users. 

However, while running security tests a new Stored XSS Vulnerability has been discovered by Astra’s Security Team in the latest version i.e. Microweber Version 2.0.1, released on October 27, 2023.

What is Stored XSS vulnerability?

Stored Cross-Site Scripting (Stored XSS) is a specific form of XSS attack that injects malicious code into a vulnerable web application, targeting users’ browsers instead of the web server directly.

The attack leverages user input that is saved or “stored” on the target server, including places like a message forum, a visitor log, or a comment field. 

Such an input if not sanitized through input validation, output encoding, and security headers, might be injected with malicious script. When a victim interacts with the compromised web application and requests the stored information, their browser retrieves and executes the malicious code from the server. 

What is the impact of Stored XSS?

Stored XSS attacks can have severe consequences, which can vary based on the privileges assigned to the affected user such as:

1. Data Theft and Session Hijacking

Once executed, the malicious code can steal the victim’s data (e.g., cookies and user info), allowing unauthorized access, impersonation, and performing actions on the victim’s behalf (e.g., changing settings, making transactions).

2. Malware & ransomware Propagation

Malicious Scripts used in a Stored XSS attack can also be designed to trigger downloads of malware or ransomware from external sources or exploit vulnerabilities in users’ browsers to deliver malware payloads, potentially compromising their devices and spreading the malware further. 

Website Defacement:

Malicious Scripts used in a Stored XSS attack can also be designed to alter the appearance and content of the web page, effectively defacing the website. For example, they replace content, change layouts, or add unwanted ads, leading to a compromised user experience and potential reputation damage. 

What is the current status?

Upon discovering the vulnerability in Microweber Version 2.0.1, Astra’s team promptly notified the platform’s developers along with possible solutions that they may implement to avoid any possible exploitation of user data. 

Currently, they are working on implementing a patch while formulating a long-term solution for the vulnerability.

What can you do?

Update the affected version to the latest ad-hoc security version once released by Microweber CMS Ltd.

Sanskriti Jain

Sanskriti is a technical writer at Astra who believes in writing with purpose and for a purpose. When she is not busy exploring the world of cybersecurity, you will probably find her with her nose buried deep in a book or on the lookout for a perfectly brewed cup of coffee.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany