CVE-2022-2495
published 2022-07-22CVE-2022-2495: Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.
PriorityP419medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.56%
42.2th percentile
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microweber | microweber | < 1.2.21 | 1.2.21 |
| microweber | microweber | >= 0 < 1.2.20 | 1.2.20 |
| microweber | microweber_microweber | >= unspecified < 1.2.21 | 1.2.21 |
| sanic_project | sanic | >= 0 < 20.12.7 | 20.12.7 |
| sanic_project | sanic | >= 21.0.0 < 21.12.2 | 21.12.2 |
| sanic_project | sanic | >= 22.0.0 < 22.6.1 | 22.6.1 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv3.06.8MEDIUMCVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs
ghsa·2022-08-06
CVE-2022-35920 [HIGH] CWE-22 sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs
sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs
### Impact
Access to lateral directories when using `app.static` if using encoded `%2F` URLs. Parent directory traversal is not impacted.
### Patches
- v20.12.7 (LTS)
- v21.12.2 (LTS)
- v22.6.1
### References
https://github.com/sanic-org/sanic/issues/2478
https://github.com/sanic-org/sanic/pull/2495
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the community forums](https://community.sanicframework.org/)
* Ping us on [the Discord server](https://discord.gg/FARQzAEMAA)
OSV
Microweber Stored Cross-site Scripting before v1.2.20
osv·2022-07-23
CVE-2022-2495 [MEDIUM] Microweber Stored Cross-site Scripting before v1.2.20
Microweber Stored Cross-site Scripting before v1.2.20
Microwerber prior to version 1.2.20 is vulnerable to stored Cross-site Scripting (XSS).
GHSA
Microweber Stored Cross-site Scripting before v1.2.20
ghsa·2022-07-23
CVE-2022-2495 [MEDIUM] CWE-79 Microweber Stored Cross-site Scripting before v1.2.20
Microweber Stored Cross-site Scripting before v1.2.20
Microwerber prior to version 1.2.20 is vulnerable to stored Cross-site Scripting (XSS).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/microweber/microweber/commit/d35e691e72d358430abc8e99f5ba9eb374423b9fhttps://huntr.dev/bounties/00affb69-275d-4f4c-b419-437922bc7798https://github.com/microweber/microweber/commit/d35e691e72d358430abc8e99f5ba9eb374423b9fhttps://huntr.dev/bounties/00affb69-275d-4f4c-b419-437922bc7798
2022-07-22
Published