Miggo Logo
Miggo Vulnerability Database
CVE-2018-19917

CVE-2018-19917: Microweber XSS Vulnerability

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-19917
GHSA ID
GHSA-582j-m369-hj2f
EPSS Score
0.71353%
CWE
CWE-79
Published
5/14/2022
Updated
10/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer<= 1.0.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly tied to the 'keywords' parameter in search.php across all references (Netsparker example URL: /search.php?keywords=...). Reflected XSS occurs when user input is echoed without sanitization. While no specific function name is provided in advisories, the file (search.php) and parameter ('keywords') are consistently identified. In PHP, this typically involves direct use of $_GET['keywords'] in output contexts (e.g., echo, print) without htmlspecialchars() or equivalent escaping, which aligns with the described vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*row***r *.*.* **s r**l**t** *ross-sit* s*riptin* (XSS) vuln*r**iliti*s.

Reasoning

T** vuln*r**ility is *xpli*itly ti** to t** 'k*ywor*s' p*r*m*t*r in `s**r**.p*p` **ross *ll r***r*n**s (N*tsp*rk*r *x*mpl* URL: /s**r**.p*p?k*ywor*s=...). R**l**t** XSS o**urs w**n us*r input is ***o** wit*out s*nitiz*tion. W*il* no sp**i*i* *un*tion