CVE-2025-70791
Stored Cross-Site Scripting in Microweber Admin Order Endpoint
Publication date: 2026-02-05
Last updated on: 2026-02-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microweber | microweber | 2.0.19 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-70791 is a Cross-Site Scripting (XSS) vulnerability in the "/admin/order/abandoned" endpoint of Microweber version 2.0.19 and earlier. The vulnerability occurs because the "orderDirection" parameter in the URL is not properly sanitized, allowing an attacker to inject arbitrary JavaScript code.'}, {'type': 'paragraph', 'content': 'An attacker can craft a malicious URL containing JavaScript code in the "orderDirection" parameter and trick an admin user into visiting it. When the admin visits this URL, the injected JavaScript executes in their browser within the context of the admin interface.'}, {'type': 'paragraph', 'content': 'This issue was responsibly reported and fixed in Microweber version 2.0.20.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary JavaScript code in the browser of an admin user. This can lead to several malicious impacts including:
- Session hijacking of the admin user, allowing attackers to impersonate the admin.
- Theft of sensitive data accessible to the admin user.
- Unauthorized actions performed within the admin panel by executing scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This Cross-Site Scripting (XSS) vulnerability can be detected by attempting to reproduce the issue on a Microweber 2.0.19 instance. One can clone the Microweber repository at version 2.0.19, build and run the application using Docker, and then visit a crafted URL that includes a malicious "orderDirection" parameter.'}, {'type': 'list_item', 'content': 'Clone the repository at version 2.0.19: git clone -b v2.0.19 https://github.com/microweber/microweber.git'}, {'type': 'list_item', 'content': 'Navigate into the directory: cd microweber'}, {'type': 'list_item', 'content': 'Start the application using Docker Compose: docker compose up -d'}, {'type': 'list_item', 'content': 'Access the application at http://localhost and complete the UI installation.'}, {'type': 'list_item', 'content': 'Visit the crafted URL to trigger the XSS, for example: http://localhost/admin/order/abandoned?orderDirection=\\"><script>alert(1);</script>'}, {'type': 'paragraph', 'content': 'If an alert popup appears, it confirms the presence of the vulnerability by demonstrating execution of injected JavaScript.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Microweber to version 2.0.20 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'The fix involves comprehensive input sanitization of user-controlled parameters, including "orderDirection", using the `xss_clean` function to prevent injection of malicious scripts.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider implementing input sanitization or filtering on the affected parameters at the web application firewall or reverse proxy level to block malicious payloads.'}] [2]