GHSL-2021-1005: Copy-paste XSS in Microweber text editor - CVE-2021-32856

Coordinated Disclosure Timeline

• 2021-09-15: Report sent to admin@microweber.com
• 2021-09-17: Fixed by this commit
• 2021-09-17: Fix reverted since it broke some features.
• 2022-03-25: Fixed in v1.2.12
• 2022-04-27: We realised the fix was not complete and reported it to the maintainer.
• 2022-04-27: Maintainers claimed that the vulnerability is fixed and marked our new report as invalid.
• 2022-04-27: We inform the maintainer about how the vulnerability can be exploited.
• 2022-06-15: We disclose the advisory as per our disclosure policy.

Summary

Copy-paste XSS in Microweber text editor

Product

Microweber

Tested Version

v1.2.8

Details

Issue: Copy-paste XSS in Microweber (GHSL-2021-1005)

The Microweber text editor is vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor.

Proof of concept (tested on Chrome):

• Open this page: cdn.sekurak.pl/copy-paste/playground.html
• Paste the following code into “HTML Input”

    <img src="foo" onload="alert(1)" onerror="alert(2)"/>
  

• Click “Copy as HTML”
• Log in to the admin page, and start a live-edit session.
• For example, just open https://demo.microweber.org/ and it will automatically log you into a demo account.
• Open https://demo.microweber.org/demo/modern-golder-watch
• Select some of the text, such that you can write in it
• Paste into the text editor.

Note: This issue was found using the following CodeQL query

Impact

This issue may lead to XSS with user interaction

CVE

• CVE-2021-32856

Credit

This issue was discovered by GHSL team member @erik-krogh (Erik Kristensen) using the CodeQL query contributed by @bananabr (Daniel Santos).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1005 in any communication regarding this issue.