cbcvebase.
CVE-2022-1439
published 2022-04-22

CVE-2022-1439: Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.21%
86.6th percentile
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.

Affected

3 ranges
VendorProductVersion rangeFixed in
microwebermicroweber< 1.2.151.2.15
microwebermicroweber>= 0 < 1.2.151.2.15
microwebermicroweber_microweber>= unspecified < 1.2.151.2.15

Detection & IOCsextracted from sources · hover to see the quote

url/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}
path/module/
  • Look for the reflected XSS payload pattern in HTTP GET requests to /module/ — specifically the `module` parameter containing onmouseover/tabindex injection strings.
  • Match HTTP 200 responses containing both the reflected XSS string and 'parent-module-id' in the response body to confirm exploitation.
  • Identify Microweber instances via Shodan favicon hash 780351152 or HTML keyword 'microweber' for asset discovery prior to scanning.
  • FOFA fingerprinting: search for body="microweber" or icon_hash=780351152 to identify exposed Microweber instances.
  • ·The XSS payload requires user interaction (mouseover or tab key press) to trigger; fully automated exploitation without user interaction may not be possible with the known payload.
  • ·Vulnerability is only present in Microweber versions prior to 1.2.15; patched in commit ad3928f67b2cd4443f4323d858b666d35a919ba8.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.06.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.