Miggo Logo
Miggo Vulnerability Database
CVE-2022-0560

CVE-2022-0560: Open redirect in microweber

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-0560
GHSA ID
GHSA-r992-xph6-h7x2
EPSS Score
0.6075%
CWE
CWE-601
Published
2/12/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.111.2.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence is the patch modification to Route::resource('page', 'PageController') where the 'show' method was explicitly excluded. In Laravel resource routing, the 'show' method typically handles displaying individual resources (GET /page/{id}). By removing this route, the developers likely eliminated an endpoint that improperly handled redirects using unvalidated user input. The absence of other security-related changes in the commit strengthens the correlation between the removed route and the open redirect vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mi*row***r prior to *.*.** is vuln*r**l* to op*n r**ir**t.

Reasoning

T** k*y *vi**n** is t** p*t** mo*i*i**tion to Rout*::r*sour**('p***', 'P****ontroll*r') w**r* t** 's*ow' m*t*o* w*s *xpli*itly *x*lu***. In L*r*v*l r*sour** routin*, t** 's*ow' m*t*o* typi**lly **n*l*s *ispl*yin* in*ivi*u*l r*sour**s (**T /p***/{i*})