VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 20, 2018· Updated Sep 17, 2024

CVE-2018-1000826

CVE-2018-1000826

Description

Microweber <=1.0.7 has a reflected XSS in the admin login form that allows an attacker to execute JavaScript via crafted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Microweber <=1.0.7 has a reflected XSS in the admin login form that allows an attacker to execute JavaScript via crafted input.

Vulnerability

Microweber versions up to and including 1.0.7 contain a reflected Cross-Site Scripting (XSS) vulnerability in the admin login form template located at userfiles/modules/users/login/templates/admin.php. The username and password fields directly reflect user-supplied input from $_REQUEST without proper sanitization, allowing injection of arbitrary HTML and JavaScript [2][4].

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the username parameter and trick an authenticated admin user into visiting it. The payload is reflected in the login form's input fields and executed in the victim's browser, requiring no additional privileges beyond the victim's session [4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin's session, leading to session hijacking, unauthorized actions, data theft, or defacement of the Microweber site [2][4].

Mitigation

The vulnerability is fixed in commit 5b29bc854bcfbfc5d4df1523ee221c900e7598a9 [3]. Users should upgrade to a version later than 1.0.7 or apply the provided patch. No workarounds are available, and this CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2018-1000826
  2. fix of XSS on login screen #489 · microweber/microweber@5b29bc8
  3. Microweber XSS | 0dd - The Zero (0) Day Division

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
microweber/microweberPackagist
< 1.11.1

Affected products

1

Patches

1
5b29bc854bcf

fix of XSS on login screen #489

https://github.com/microweber/microweberPeter IvanovDec 27, 2018via ghsa
commit
3 files changed · +7 5
  • userfiles/modules/users/login/index.php+3 0 modified
    @@ -77,6 +77,9 @@
     </script>
     <?php
 
+    $input = mw()->format->clean_xss(\Input::all());
+
+
     $login_captcha_enabled = get_option('login_captcha_enabled', 'users') == 'y';
 
     # Login Providers
  • userfiles/modules/users/login/templates/admin.php+2 3 modified
    @@ -111,11 +111,10 @@
 
             <form autocomplete="on" method="post" id="user_login_<?php print $params['id'] ?>" action="<?php print api_link('user_login') ?>">
                 <div class="mw-ui-field-holder">
-                    <input class="mw-ui-field mw-ui-field-big silver-field" autofocus="" tabindex="1" required name="username" type="text" placeholder="<?php _e("Username or Email"); ?>" <?php if (isset($_REQUEST['username']) != false): ?> value="<?php print $_REQUEST['username'] ?>"  <?php endif;
-                    ?> />
+                    <input class="mw-ui-field mw-ui-field-big silver-field" autofocus="" tabindex="1" required name="username" type="text" placeholder="<?php _e("Username or Email"); ?>" <?php if (isset($input['username']) != false): ?> value="<?php print $input['username'] ?>"  <?php endif;  ?> />
                 </div>
                 <div class="mw-ui-field-holder">
-                    <input class="mw-ui-field mw-ui-field-big silver-field" name="password" tabindex="2" required type="password" <?php if (isset($_REQUEST['password']) != false): ?> value="<?php print $_REQUEST['password'] ?>"  <?php endif; ?> placeholder="<?php _e("Password"); ?>"/>
+                    <input class="mw-ui-field mw-ui-field-big silver-field" name="password" tabindex="2" required type="password" <?php if (isset($input['password']) != false): ?> value="<?php print $input['password'] ?>"  <?php endif; ?> placeholder="<?php _e("Password"); ?>"/>
                 </div>
  • userfiles/modules/users/login/templates/default.php+2 2 modified
    @@ -31,10 +31,10 @@
         <div id="user_login_holder_<?php print $params['id'] ?>">
             <form method="post" id="user_login_<?php print $params['id'] ?>" class="clearfix" action="#">
                 <div class="control-group form-group">
-                    <input class="large-field form-control" name="username" type="text" placeholder="<?php _e("Email or username"); ?>"/>
+                    <input class="large-field form-control" name="username" <?php if (isset($input['username']) != false): ?> value="<?php print $input['username'] ?>"  <?php endif;  ?> type="text" placeholder="<?php _e("Email or username"); ?>"/>
                 </div>
                 <div class="control-group form-group">
-                    <input class="large-field form-control" name="password" type="password" placeholder="<?php _e("Password"); ?>"/>
+                    <input class="large-field form-control" name="password" <?php if (isset($input['password']) != false): ?> value="<?php print $input['password'] ?>"  <?php endif;  ?> type="password" placeholder="<?php _e("Password"); ?>"/>
                 </div>
                 <?php if (isset($login_captcha_enabled) and $login_captcha_enabled): ?>
                     <module type="captcha" />

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.