CVE-2024-58289 – Microweber 2.0.15 contains a stored cross-site ... (How to Fix)

Q: What is the severity of CVE-2024-58289?

CVE-2024-58289 has a CVSS score of 5.4 (MEDIUM). Microweber 2.0.15 contains a stored cross-site scripting vulnerability in user profile fields that allows authenticated attackers to inject malicious JavaScript. When other users view the attacker's profile, the script executes in their browser context, potentially stealing session cookies or performing unauthorized actions. This affects all Microweber installations running version 2.0.15 with user registration enabled.

📋 TL;DR

Microweber 2.0.15 contains a stored cross-site scripting vulnerability in user profile fields that allows authenticated attackers to inject malicious JavaScript. When other users view the attacker's profile, the script executes in their browser context, potentially stealing session cookies or performing unauthorized actions. This affects all Microweber installations running version 2.0.15 with user registration enabled.

💻 Affected Systems

Products:

Microweber

Versions: 2.0.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user registration/authentication functionality to be enabled. All installations with user profiles are vulnerable.

📦 What is this software?

Microweber by Microweber

View all CVEs affecting Microweber →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full administrative access, compromise user accounts, and potentially pivot to server compromise through subsequent attacks.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, perform unauthorized actions, or deface user profiles with malicious content.

🟢

If Mitigated

Limited to authenticated users only, with potential for account compromise but restricted to user-level privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user access. Public exploit code demonstrates simple JavaScript injection in first name field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.16 or later

Vendor Advisory: https://github.com/microweber/microweber

Restart Required: No

Instructions:

1. Backup your Microweber installation. 2. Update to Microweber 2.0.16 or later via the admin panel or manual update. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Sanitization

all

Implement server-side input validation and output encoding for user profile fields

Modify user profile handling code to sanitize inputs using htmlspecialchars() or similar functions

Content Security Policy

all

Implement strict CSP headers to prevent script execution from user inputs

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

🧯 If You Can't Patch

Disable user registration and profile editing functionality
Implement web application firewall rules to block XSS payloads in user profile submissions

🔍 How to Verify

Check if Vulnerable:

Check if Microweber version is 2.0.15. Attempt to inject <script>alert('XSS')</script> into first name field and see if it executes when viewing profile.

Check Version:

Check admin panel dashboard or view composer.json file for version information

Verify Fix Applied:

After updating, attempt the same XSS payload injection. It should be properly sanitized and not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in user profile update requests
Multiple failed login attempts followed by profile updates

Network Indicators:

HTTP POST requests to user profile endpoints containing script tags or JavaScript code

SIEM Query:

source="web_logs" AND (uri_path="/api/user/update" OR uri_path="/user/save-profile") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%")

📊 Metadata

CVE ID: CVE-2024-58289

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13.3th percentile)

Published: December 11, 2025

Last Updated: January 12, 2026

🔗 References

https://github.com/microweber/microweber Product
https://microweber.me/ Broken Link
https://www.exploit-db.com/exploits/52058 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/microweber-stored-cross-site-scripting-via-user-profile-fields Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-58289, you might also want to check these: