Miggo Logo
Miggo Vulnerability Database
CVE-2022-0557

CVE-2022-0557: OS Command Injection in Microweber

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-0557
GHSA ID
GHSA-vm37-j55j-8655
EPSS Score
0.93706%
CWE
CWE-78
Published
2/12/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.111.2.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch modifies the file extension validation logic in plupload.php, specifically removing 'php6' from the blocklist. The CWE-78 classification indicates OS command injection, implying the vulnerable code passes untrusted input (e.g., filenames) into system commands without proper sanitization. The exploit demonstrates RCE via .php7 file uploads, which aligns with improper handling of extensions in commands (e.g., using filenames in exec() calls without escaping). The file path and patch context strongly correlate with the vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*row***r is * *ont*nt m*n***m*nt syst*m wit* *r** *n* *rop. Prior to v*rsion *.*.**, Mi*row***r is vuln*r**l* to OS *omm*n* Inj**tion.

Reasoning

T** p*t** mo*i*i*s t** *il* *xt*nsion v*li**tion lo*i* in pluplo**.p*p, sp**i*i**lly r*movin* 'p*p*' *rom t** *lo*klist. T** *W*-** *l*ssi*i**tion in*i**t*s OS *omm*n* inj**tion, implyin* t** vuln*r**l* *o** p*ss*s untrust** input (*.*., *il*n*m*s) i