CVE-2022-0963
published 2022-03-15CVE-2022-0963: Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
PriorityP333medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
1.88%
76.8th percentile
Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microweber | microweber | < 1.2.12 | 1.2.12 |
| microweber | microweber | >= 0 < 1.2.12 | 1.2.12 |
| microweber | microweber_microweber | >= unspecified < 1.2.12 | 1.2.12 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.05.7MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unrestricted XML files leading to cross-site scripting in Microweber
ghsa·2022-03-16
CVE-2022-0963 [MEDIUM] CWE-79 Unrestricted XML files leading to cross-site scripting in Microweber
Unrestricted XML files leading to cross-site scripting in Microweber
Microweber prior to 1.2.12 allows unrestricted upload of XML files, which malicious actors can exploit to cause a stored cross-site scripting attack.
OSV
Unrestricted XML files leading to cross-site scripting in Microweber
osv·2022-03-16
CVE-2022-0963 [MEDIUM] Unrestricted XML files leading to cross-site scripting in Microweber
Unrestricted XML files leading to cross-site scripting in Microweber
Microweber prior to 1.2.12 allows unrestricted upload of XML files, which malicious actors can exploit to cause a stored cross-site scripting attack.
No detection rules found.
Nuclei
Microweber <1.2.12 - Stored Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2022-0963 [MEDIUM] Microweber <1.2.12 - Stored Cross-Site Scripting
Microweber alert(document.domain)
-----------------------------59866212126262636974202255034--
- |
GET /userfiles/media/default/{{to_lower("{{randstr}}")}}.xml HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body_3,"alert(document.domain)")'
- 'status_code_3==200'
- 'contains(body_2,"bytes_uploaded")'
condition: and
# digest: 490a0046304402202abba5dc34d52c04be635db93b4aebff346275bd135820ea4e2e8c7ac4e7f17c0220534f13b321f4183da7bc57d35cbfbb61e4362c1117518e599f9957893c11cf63:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://github.com/microweber/microweber/commit/975fc1d6d3fba598ee550849ceb81af23ce72e08https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244chttps://github.com/microweber/microweber/commit/975fc1d6d3fba598ee550849ceb81af23ce72e08https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c
2022-03-15
Published