Miggo Logo
Miggo Vulnerability Database
CVE-2022-0501

CVE-2022-0501: Cross-site Scripting in Beanstalk console

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-0501
GHSA ID
GHSA-gj85-pvp5-mvf9
EPSS Score
0.54953%
CWE
CWE-79
Published
2/6/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ptrofimov/beanstalk_consolecomposer< 1.7.121.7.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the handling of the 'server' GET parameter in the global scope of lib/include.php without proper sanitization. The code directly assigns $_GET['server'] to $GLOBALS['server'] which is then reflected in the page output. Since this occurs in the global code and not within a named function, no specific vulnerable functions are identified. The fix applied htmlspecialchars to sanitize the input, confirming that the lack of output encoding in the parameter handling logic was the root cause. The absence of a dedicated function wrapping this logic results in an empty vulnerable_functions array.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***nst*lk *onsol* prior to v*rsion *.*.** is vuln*r**l* to *ross-sit* s*riptin*.

Reasoning

T** vuln*r**ility st*ms *rom t** **n*lin* o* t** 's*rv*r' **T p*r*m*t*r in t** *lo**l s*op* o* li*/in*lu**.p*p wit*out prop*r s*nitiz*tion. T** *o** *ir**tly *ssi*ns $_**T['s*rv*r'] to $*LO**LS['s*rv*r'] w*i** is t**n r**l**t** in t** p*** output. Si