Recently, security researcher Carlos Bello from the Offensive Team of Fluid Attacks revealed a high sensitive vulnerability in the Microweber content management system that allows an attacker to take control of the administration account.
Microweber is a Drag and Drop website builder and a powerful next-generation CMS. It’s based on the PHP Laravel Framework. You can use Microweber to make any kind of website, online store, and blog. The Drag and Drop technology allows you to build your website without any technical knowledge. Microweber has over 102,319 downloads and installations around the world.
The flaw tracked as CVE-2022-0698 (CVSS score: 8.8) is a DOM cross-site scripting vulnerability, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the select-file parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2022-0698 affects Microweber 1.3.1 and allows an unauthenticated remote attacker to perform an Account Takeover.
“To trigger this vulnerability, we will need to send the following malicious link to an administrator in order to hack their account. The following is an example of a malicious URL:
http://example.com/admin/view:modules/load_module:files#select-file=http://example.com/userfiles/media/default/ovaa-checklist.php%22onload%3d%22javascript:PAYLOAD%22+///.txt,” read the fluidattacks advisories.
At the present, there is no fix for this flaw. Administrators are advised not to click on links from unknown sources and to update when patches are announced.
