Coordinated Disclosure Timeline
- 2021-09-15: Report sent to email@example.com
- 2021-09-17: Fixed by this commit
- 2021-09-17: Fix reverted since it broke some features.
- 2022-03-25: Fixed in v1.2.12
- 2022-04-27: We realised the fix was not complete and reported it to the maintainer.
- 2022-04-27: Maintainers claimed that the vulnerability is fixed and marked our new report as invalid.
- 2022-04-27: We inform the maintainer about how the vulnerability can be exploited.
- 2022-06-15: We disclose the advisory as per our disclosure policy.
Copy-paste XSS in Microweber text editor
Issue: Copy-paste XSS in Microweber (
The Microweber text editor is vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor.
Proof of concept (tested on Chrome):
- Open this page: cdn.sekurak.pl/copy-paste/playground.html
- Paste the following code into “HTML Input”
<img src="foo" onload="alert(1)" onerror="alert(2)"/>
- Click “Copy as HTML”
- Log in to the admin page, and start a live-edit session.
- For example, just open https://demo.microweber.org/ and it will automatically log you into a demo account.
- Open https://demo.microweber.org/demo/modern-golder-watch
- Select some of the text, such that you can write in it
- Paste into the text editor.
This issue may lead to XSS with user interaction
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2021-1005 in any communication regarding this issue.