skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
June 17, 2022

GHSL-2021-1005: Copy-paste XSS in Microweber text editor - CVE-2021-32856

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

Copy-paste XSS in Microweber text editor

Product

Microweber

Tested Version

v1.2.8

Details

Issue: Copy-paste XSS in Microweber (GHSL-2021-1005)

The Microweber text editor is vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor.

Proof of concept (tested on Chrome):

Note: This issue was found using the following CodeQL query

Impact

This issue may lead to XSS with user interaction

CVE

Credit

This issue was discovered by GHSL team member @erik-krogh (Erik Kristensen) using the CodeQL query contributed by @bananabr (Daniel Santos).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1005 in any communication regarding this issue.