Miggo Logo
Miggo Vulnerability Database
CVE-2021-33988

CVE-2021-33988: Cross Site Scripting in Microweber

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-33988
GHSA ID
GHSA-w7x8-cq7r-g5g9
EPSS Score
0.73594%
CWE
CWE-79
Published
10/25/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.81.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of user input in the login form. The provided POC shows a POST request with an XSS payload in the 'module' parameter being reflected in the response. While the exact code isn't available, XSS in login forms typically occurs when user-controlled input is echoed back without escaping (e.g., in error messages or form repopulation). The confidence is medium because the description explicitly implicates the login form, and the attack pattern matches unescaped output of request parameters, but without patch details or code access, we infer based on standard PHP CMS patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS). vuln*r**ility *xists in Mi*row***r *MS *.*.* vi* t** Lo*in *orm, w*i** *oul* l*t * m*li*ious us*r *x**ut* J*v*s*ript *y Ins*rtin* *o** in t** r*qu*st *orm.

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* us*r input in t** lo*in *orm. T** provi*** PO* s*ows * POST r*qu*st wit* *n XSS p*ylo** in t** 'mo*ul*' p*r*m*t*r **in* r**l**t** in t** r*spons*. W*il* t** *x**t *o** isn't *v*il**l*, XSS in lo