cbcvebase.
CVE-2022-0666
published 2022-02-18

CVE-2022-0666: CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.

PriorityP268high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
44.26%
98.6th percentile
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.

Affected

5 ranges
VendorProductVersion rangeFixed in
microwebermicroweber< 1.2.111.2.11
microwebermicroweber>= 0 < 1.2.111.2.11
microwebermicroweber_microweber>= unspecified < 1.2.111.2.11
octokitoctokit>= 4.23.0 < 4.25.04.25.0
octopoller_projectoctopoller>= 0.2.0 < 0.3.00.3.0

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/api/logout?redirect_to=%0d%0aSet-Cookie:crlfinjection=1;
cookiecrlfinjection=1
  • Exploit targets the /api/logout endpoint with a CRLF-encoded redirect_to parameter (%0d%0a) to inject a Set-Cookie header. Detect by monitoring HTTP responses for injected Set-Cookie headers originating from this endpoint.
  • Match HTTP response headers for the regex pattern '^Set-Cookie: crlfinjection=1;' as a positive indicator of successful CRLF injection exploitation.
  • Use Shodan query 'http.favicon.hash:780351152' or 'http.html:"microweber"' to identify exposed Microweber instances for targeted scanning.
  • Use FOFA query 'icon_hash=780351152' or 'body="microweber"' to identify exposed Microweber instances.
  • ·Vulnerability affects Microweber versions prior to 1.2.11 only. Instances running 1.2.11 or later are not affected.
  • ·The injection vector is specifically the 'redirect_to' GET parameter on the /api/logout endpoint; other endpoints are not confirmed vulnerable by this CVE.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
cisa7.5HIGH
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.