CVE-2024-33299 PoC — Microweber 安全漏洞

Source

https://github.com/MathSabo/CVE-2024-33299

Associated Vulnerability

Title:Microweber 安全漏洞 (CVE-2024-33299)
Description:Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users

Description

Stored Cross Site Scripting vulnerability in Microweber < 2.0.9

Readme

# CVE-2024-33299
Stored Cross Site Scripting vulnerability in Microweber <= 2.0.9

## Summary :

A Stored Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint **/admin/module/view?type=users**

## Requirements :

- [Microweber](https://github.com/microweber/microweber) version <= 2.0.9
- Admin access

## Steps to reproduce :

1. Authenticate the application with administrative privileges
2. Go to the endpoint **/admin/users**
3. Select any user to edit (or create one later edit)
4. Insert the payload `<img src=x onerror=alert(1)>` on either **"First Name"** or **"Last Name"** as both fields can trigger the JavaScript injection
5. Go to the endpoint **/admin/module/view?type=users** to trigger the JavaScript injection

## Affected components :

- /admin/module/view?type=users

## Impact :

An attacker could execute JavaScript code in the victim's browser, obtaining information or forcing the user to access malicious websites, for example.

## Relevant References

https://www.cve.org/CVERecord?id=CVE-2024-33299

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!