Miggo Logo

CVE-2022-0277: Microweber Incorrect Permission Assignment for Critical Resource vulnerability

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.50643%
Published
1/21/2022
Updated
7/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.111.2.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper access control on the 'users/search_authors' endpoint. The commit diff shows the critical change from api_expose to api_expose_admin, indicating the original function lacked proper admin restriction. This matches the CWE-732 description of incorrect permission assignment, as non-admin users could access sensitive data through this endpoint before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Mi*row***r prior to *.*.**, * non-**min us*r is **l* to ****ss ot**r us*rs' s*nsitiv* in*orm*tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r ****ss *ontrol on t** 'us*rs/s**r**_*ut*ors' *n*point. T** *ommit *i** s*ows t** *riti**l ***n** *rom *pi_*xpos* to *pi_*xpos*_**min, in*i**tin* t** ori*in*l *un*tion l**k** prop*r **min r*stri*tion. T*is m*t***s