CVE-2021-33988: Cross Site Scripting in Microweber
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73594%
CWE
Published
10/25/2021
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
microweber/microweber | composer | < 1.2.8 | 1.2.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper neutralization of user input in the login form. The provided POC shows a POST request with an XSS payload in the 'module' parameter being reflected in the response. While the exact code isn't available, XSS in login forms typically occurs when user-controlled input is echoed back without escaping (e.g., in error messages or form repopulation). The confidence is medium because the description explicitly implicates the login form, and the attack pattern matches unescaped output of request parameters, but without patch details or code access, we infer based on standard PHP
CMS patterns.