CVE-2022-0281
published 2022-01-20CVE-2022-0281: Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
12.01%
95.6th percentile
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microweber | microweber | <= 1.2.10 | — |
| microweber | microweber | >= 0 < 1.2.11 | 1.2.11 |
| microweber | microweber_microweber | >= unspecified < 1.2.11 | 1.2.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to /api/users/search_authors returns HTTP 200 with JSON body containing 'username', 'email', and 'display_name' fields — indicates unauthenticated user enumeration/information disclosure. ↗
- →Shodan fingerprinting for exposed Microweber instances: favicon hash 780351152 or HTML containing 'microweber'. ↗
- →FOFA fingerprinting for exposed Microweber instances: body contains 'microweber' or icon_hash equals 780351152. ↗
- ·Vulnerability affects Microweber versions prior to 1.2.11 only; patched in 1.2.11 and later. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in microweber
ghsa·2022-01-21
CVE-2022-0281 [HIGH] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in microweber
Exposure of Sensitive Information to an Unauthorized Actor in microweber
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
OSV
Exposure of Sensitive Information to an Unauthorized Actor in microweber
osv·2022-01-21
CVE-2022-0281 [HIGH] Exposure of Sensitive Information to an Unauthorized Actor in microweber
Exposure of Sensitive Information to an Unauthorized Actor in microweber
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
No detection rules found.
Nuclei
Microweber Information Disclosure
nuclei·CVSS 7.5
CVE-2022-0281 [HIGH] Microweber Information Disclosure
Microweber Information Disclosure
Microweber contains a vulnerability that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11.
Template:
id: CVE-2022-0281
info:
name: Microweber Information Disclosure
author: pikpikcu
severity: high
description: Microweber contains a vulnerability that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11.
impact: |
Successful exploitation of this vulnerability can lead to the exposure of sensitive data, such as user credentials or database information.
remediation: |
Apply the latest security patch or update provided by the Microweber CMS vendor to fix the information disclosure vulnerability (CVE-2022-0281).
reference:
- ht
No writeups or analysis indexed.
https://github.com/microweber/microweber/commit/e680e134a4215c979bfd2eaf58336be34c8fc6e6https://huntr.dev/bounties/315f5ac6-1b5e-4444-ad8f-802371da3505https://github.com/microweber/microweber/commit/e680e134a4215c979bfd2eaf58336be34c8fc6e6https://huntr.dev/bounties/315f5ac6-1b5e-4444-ad8f-802371da3505
2022-01-20
Published