Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field.
Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
Code Injection in GitHub repository microweber/microweber prior to 1.3.2.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.
Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript.
Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users.
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.
Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim
XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.
Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality.
XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.
Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.
A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/modules/settings/group/website_group/index.php of the component Settings Handler. The manipulation of the argument group leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A fix was attempted in versions 1.2.9 and 1.2.12, but it is incomplete.
Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Execution of JavaScript code.
microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\settings\admin.php.
Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.