CVE-2022-0928
published 2022-03-11CVE-2022-0928: Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.
PriorityP433medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
2.39%
81.9th percentile
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microweber | microweber | <= 1.2.11 | — |
| microweber | microweber | >= 0 < 1.2.12 | 1.2.12 |
| microweber | microweber_microweber | >= unspecified < 1.2.12 | 1.2.12 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.06.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site Scripting in microweber
ghsa·2022-03-12
CVE-2022-0928 [MEDIUM] CWE-79 Cross-site Scripting in microweber
Cross-site Scripting in microweber
Microweber drag and drop website builder and CMS with e-commerce. Cross-site Scripting (XSS) discovered in microweber prior to 1.2.12. There is currently no known workaround, users are recommended to update to version 1.2.12.
OSV
Cross-site Scripting in microweber
osv·2022-03-12
CVE-2022-0928 [MEDIUM] Cross-site Scripting in microweber
Cross-site Scripting in microweber
Microweber drag and drop website builder and CMS with e-commerce. Cross-site Scripting (XSS) discovered in microweber prior to 1.2.12. There is currently no known workaround, users are recommended to update to version 1.2.12.
No detection rules found.
Nuclei
Microweber < 1.2.12 - Stored Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2022-0928 [MEDIUM] Microweber < 1.2.12 - Stored Cross-Site Scripting
Microweber &rate=10
- |
POST /module HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:{{BaseURL}}/admin/view:settings
class=+module+module-shop-taxes-admin-list-taxes+&id=mw_admin_shop_taxes_items_list&parent-module-id=settings-admin-mw-main-module-backend-shop-taxes-admin&parent-module=shop%2Ftaxes%2Fadmin&data-type=shop%2Ftaxes%2Fadmin_list_taxes
matchers:
- type: dsl
dsl:
- 'contains(body_3,"")'
- 'contains(header_3,"text/html")'
- 'status_code_2 == 200 && status_code_3 == 200'
condition: and
# digest: 4b0a00483046022100850058eaf09f6c912602a530d0405a5308a63e79c10be7117928055d0d1fecae022100d2329da7f6524891ec745bc97a0a3924ddbfbc69a8e6ed073f65abca28df769e:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://github.com/microweber/microweber/commit/fc9137c031f7edec5f50d73b300919fb519c924ahttps://huntr.dev/bounties/085aafdd-ba50-44c7-9650-fa573da29bcdhttps://github.com/microweber/microweber/commit/fc9137c031f7edec5f50d73b300919fb519c924ahttps://huntr.dev/bounties/085aafdd-ba50-44c7-9650-fa573da29bcd
2022-03-11
Published