Mathsabo

Name of the Vulnerable Software and Affected Versions: Microweber versions prior to 2.0.9 Description: The issue allows a remote attacker to execute arbitrary code via the `campaign Name (Internal Name)` field in the `Add new campaign` function. This is a Cross Site Scripting vulnerability. Recommendations: For versions prior to 2.0.9, update to version 2.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Add new campaign` function until a patch is available. Avoid using the `campaign Name (Internal Name)` field in the affected function until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Microweber versions prior to 2.0.9 Description: The issue allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint "/admin/module/view?type=admin backup", exploiting a Stored Cross Site Scripting (XSS) issue. Recommendations: For versions prior to 2.0.9, update to version 2.0.9 or later to resolve the issue. As a temporary workaround, consider disabling the create new backup function in the endpoint "/admin/module/view?type=admin backup" until a patch is available. Restrict access to the endpoint "/admin/module/view?type=admin backup" to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Microweber version 2.0.9 Microweber versions prior to 2.0.9 Description: A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via the `First Name` and `Last Name` parameters in the endpoint "/admin/module/view?type=users". This enables the attacker to inject malicious scripts into the website, potentially leading to unauthorized access or data theft. Recommendations: For Microweber version 2.0.9, update to a version that fixes this issue. For Microweber versions prior to 2.0.9, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the "/admin/module/view?type=users" endpoint until a patch is available. Avoid using the `First Name` and `Last Name` parameters in the affected endpoint until the issue is resolved.