CVE-2018-19917
Description
Microweber 1.0.8 contains reflected cross-site scripting (XSS) vulnerabilities allowing arbitrary script execution via crafted URL parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Microweber 1.0.8 contains reflected cross-site scripting (XSS) vulnerabilities allowing arbitrary script execution via crafted URL parameters.
Vulnerability
Microweber 1.0.8 is vulnerable to reflected cross-site scripting (XSS) as reported in advisory NS-18-038 [1],[4]. The flaw exists because user-supplied input in URL parameters is not adequately sanitized before being reflected back to the browser, enabling injection of arbitrary HTML and JavaScript code. No authentication or special configuration is required; an attacker only needs to trick a victim into visiting a crafted link [4].
Exploitation
An attacker crafts a malicious URL containing a script payload in the query string, e.g., /?s=. When the victim clicks the link, the browser executes the injected script in the context of the Microweber application [1],[4]. No user interaction beyond clicking the link is required; the attacker does not need to be authenticated or have any special privileges [4].
Impact
Successfully exploiting the vulnerability allows the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session cookie theft, page content manipulation, or redirection to malicious sites within the trust context of the legitimate Microweber site [1],[4]. The impact is limited to information disclosure and UI spoofing; no direct server compromise is achieved through this XSS alone.
Mitigation
As of the disclosure date (January 2019), no official patch had been released for Microweber 1.0.8 [4]. The vendor was notified but the vulnerability remained unfixed. Users should upgrade to a later version if available, or apply strict input validation and output encoding as a temporary workaround. The CVE is not listed on the CISA KEV, and no fix is confirmed in available references [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
microweber/microweberPackagist | <= 1.0.8 | — |
Affected products
2- Range: <= 1.0.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `keywords` GET parameter in `search.php` is reflected into the web page output without proper neutralization, allowing injection of arbitrary HTML and JavaScript."
Attack vector
An attacker crafts a URL containing a malicious payload in the `keywords` GET parameter, such as `x' onmouseover=netsparker(0x001E3C) x='` [ref_id=1][ref_id=2]. When a victim visits this URL and hovers over the injected element, the attacker's JavaScript executes in the victim's browser context. No authentication is required, and the attack is delivered via a simple link that can be sent through email, social media, or other channels [CWE-79].
Affected code
The vulnerability exists in the `search.php` file of Microweber 1.0.8. The `keywords` GET parameter is reflected into the page output without proper sanitization or encoding [ref_id=1][ref_id=2].
What the fix does
The advisory states the vulnerability status is "Not Fixed" [ref_id=1][ref_id=2]. No patch has been published by the vendor. To remediate, the application should properly encode or sanitize the `keywords` parameter before reflecting it in the HTML response, preventing injection of arbitrary HTML and JavaScript [CWE-79].
Preconditions
- inputThe victim must visit a crafted URL containing the malicious payload in the keywords parameter
- inputThe victim must hover over the injected element (onmouseover event)
- authNo authentication is required; the vulnerable search.php endpoint is publicly accessible
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-582j-m369-hj2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19917ghsaADVISORY
- packetstormsecurity.com/files/151005/Microweber-1.0.8-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2019/Jan/12ghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2019/Jan/25ghsax_refsource_MISCWEB
- github.com/microweber/microweber/commits/mastermitrex_refsource_MISC
- www.netsparker.com/web-applications-advisories/ns-18-038-reflected-cross-site-scripting-in-microweberghsaWEB
- www.netsparker.com/web-applications-advisories/ns-18-038-reflected-cross-site-scripting-in-microweber/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.