CVE-2022-0277: Microweber Incorrect Permission Assignment for Critical Resource vulnerability
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.50643%
CWE
Published
1/21/2022
Updated
7/9/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
microweber/microweber | composer | < 1.2.11 | 1.2.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper access control on the 'users/search_authors' endpoint. The commit diff shows the critical change from api_expose to api_expose_admin, indicating the original function lacked proper admin restriction. This matches the CWE-732 description of incorrect permission assignment, as non-admin users could access sensitive data through this endpoint before the patch.